A thumb being scanned for security access
A thumb being scanned for security access

Security Controls

How we secure our systems


System configuration

Information Technology (IT) systems are created using a combination of:

  • operating system software
  • application software products
  • cloud services (some of the time)

These components all have configuration options that trade off functionality and security. The selection of secure configuration options is also known as system hardening. It’s the process of assessing these configuration options and selecting settings that maximise the security, whilst still allowing the product or service to operate as it should.

To ensure we’re getting the most from our IT systems, we follow industry-standard configuration recommendations produced by the Centre for Internet Security (CIS). All configuration recommendations are assessed and approved by the Information Security Team, and only the applicable standards are implemented.


Access controls

Access controls help us keep IT systems and data secure by authenticating and authorising system users. This usually involves a username and password but can also require the use of Multi-Factor Authentication (MFA) – see below for further details.

Once the user is authenticated, the IT system determines which functions and data they can access, and this is based on their role within Southern Cross. We call this Role-Based Access Control (RBAC), and users are only granted the level of authorisation required to perform their jobs.

Multi-Factor Authentication: all Southern Cross systems and applications are secured with at least a username and password. MFA is an extra layer of security and one of the strongest ways to protect unauthorised access to data.

Our team members are required to enter two or more credentials to authenticate their identity, such as username and password, and a token number as secondary authentication.

We implement MFA as and when required, and this is based on risk levels. For example, an MFA is required when:

  • administrative staff need access to IT systems
  • employees need to access our IT systems using the Internet, such as when working remotely

Role-Based Access Control (RBAC): we provide access rights to employees based on their role within the organisation. Controlled by RBAC, they only have access to the information they need to perform a specific function.

Access approval

Access to IT systems and applications are approved by the owner of the IT systems, and at times by the Information Security team. Access rights are checked and validated periodically, and access is removed if the employee leaves or changes their role within Southern Cross.


24x7 monitoring and logging

All information systems which create, maintain, store, access, process, or transmit information or business data are monitored 24x7 for vulnerabilities and intrusion detection. We use robust monitoring tools to oversee and log all events and transactions that occur within the Southern Cross environment.

Log files are kept as a permanent record and are examined by the Security Operations team to identify any suspicious behaviour or potential security incidents. Real-time monitoring and alerting system are also used to detect, respond, and prevent live security incidents.

Log files may also be used to:

  • investigate an incident or a breach
  • establish the cause of the attack
  • monitor compliance with internal security policies and guidelines

Resilience

Resilience is the process of being able to prepare for, respond, and recover from unpredictable disasters or business disruptions.

To avoid loss of data in the event of a disaster, we do two keys things:

  • we securely backup data on a regular basis
  • we host our IT systems and data in data centres at different geographic regions

This allows us to minimise any disruption to services due to natural disasters, security breaches, and other deliberate attacks.


How we secure our information


Information management

Personal information is handled in accordance with our Member Privacy Statement.

Information classification

Storage and protection of information

Disposal of information

Information shared with third-party

Any information we collect is classified into two categories: Confidential and Highly Protected data. The higher the risk the information poses, the stronger the security measures are applied to safeguarding it.

We store all information in secure data repositories which are governed by appropriate and traceable user access controls. Access to this information is only granted with the authorisation of the information owner, or within approved access rights.

The length of time we’re required to retain information varies between the types of records held and the governing legislation.

Information can only be shared with approved third parties and only with the appropriate legal and contractual protections in place. All third-party providers must abide by the same high safeguarding standards as Southern Cross.


Information classification

Any information we collect is classified into two categories: Confidential and Highly Protected data. The higher the risk the information poses, the stronger the security measures are applied to safeguarding it.

Storage and protection of information

We store all information in secure data repositories which are governed by appropriate and traceable user access controls. Access to this information is only granted with the authorisation of the information owner, or within approved access rights.

Disposal of information

The length of time we’re required to retain information varies between the types of records held and the governing legislation.

Information shared with third-party

Information can only be shared with approved third parties and only with the appropriate legal and contractual protections in place. All third-party providers must abide by the same high safeguarding standards as Southern Cross.

Data encryption

Southern Cross’ information systems encrypt data at-rest and in-transit. Here’s what that means:

Encryption at-rest: is when information is stored in a database, device or on the network. Encryption at-rest protects the data against a number of attack techniques, although the data does need to be decrypted before it’s processed.

Encryption in-transit: is when data is moving from one system to another, or from a system to a user over the Internet. Encryption in-transit protects the data from being intercepted and disclosed, and from being tampered with. We use Secure Sockets Layer (SSL) 128-bit security to encrypt data. Each of our secure websites has an SSL certificate, issued by an industry recognised certification authority. This confirms that the website is genuine and secure.

Encryption algorithms: Although we prefer up-to-date encryption algorithms, we may need to support older encryption algorithms as they’re still being used by customers and healthcare providers.


How we secure our third-party services


We only work with reputable third-party service providers who can demonstrate that they implement industry best practices and comply with applicable legislation.

By using software products and cloud services that have obtained and maintained certification to an international standard such as ISO27001 or NIST SP 800-53, we’re confident of both product quality and vendor maturity. If you’d like to know more about how we work with third parties and the services we use, visit Third-party service providers.


Related information

Security systems and information

Learn more > 


Security operations

Learn more > 


Security compliance

Learn more >