Work colleagues standing at a computer station
Work colleagues standing at a computer station

Security governance

Security Governance is our overall approach to security management

The security of our information assets - Information Technology (IT) systems, services, and data - is the responsibility of the Southern Cross Health Society Board and the Board’s Audit and Risk Committee.

The Board’s role is to establish the security governance structure and to:

  • define the board sub-committees
  • identify executive responsibilities
  • develop risk management and security assurance functions

The Board also determines the organisation’s risk appetite, which is the level of risk the Society is prepared to accept. They then:

  • approve the risk management policy and framework
  • monitor the information security and the risk status

In addition, we have an Information Security Governance Committee (ISGC) and an Operational Risk Forum (ORF). They are responsible for non-Board security governance within the Society, and help ensure:

  • the information security strategy is well defined
  • the strategy aligns with the goals of the Society and with the Board’s stated risk appetite
  • the development, implementation, and maintenance of the information security practices are carried out properly
  • compliance and alignment with industry standards have been met

Security Management

The Head of Information Security (HoIS) oversees day-to-day security operations with teams responsible for:

The HoIS aligns information security with business requirements, establishes and maintains a framework of measuring and reporting on security risks, attends the Board Audit and Risk Committee and is a member of the ISGC and ORF committees.


Risk management

The Society has a ‘3 lines of defence’ model. This provides oversight and assurance over how we implement the Risk Management Policy, Framework and Risk Appetite statement.

The model, which aligns with the ISO31000 standard, helps to distinguish risk management according to function, for example:

  • functions that own and manage risks
  • functions that oversee risks
  • functions that provide independent assurance

Information asset management and security is one of the most important areas of operational risk and is closely monitored by all three lines of defence.

  • 1st line of defence: applies to all employees in the business units - they identify, assess and manage the risk and control environment.
  • 2nd line of defence: the Risk, Compliance and Investigations teams - they oversee, monitor, guide and challenge 1st line activities.
  • 3rd line of defence: relates predominantly to internal and external auditors - they provide independent assurance for the Board and the leadership team over risk culture and the effectiveness of the risk management framework.

The Three Lines of Defence Model

1st Line-of-Defence

2nd Line-of-Defence

3rd Line-of-Defence

Risk Owners
(The business)
Review & Challenge
(Specialists within the business)
Independent Assurance
(Internal audit performed by an external auditor)

Oversight of implementation

Executive and management committees or forums Operational Risk Forum Board Audit Committee

Management of implementation

Senior management Risk and compliance function Internal audit

High level responsibilities

Implementation and ongoing maintenance of the risk management framework, including:
  • identification and effective management of risks; and
  • issues and incident identification, recording, escalation and management
  • managing and monitoring of remedial actions
Independent oversight of the risk profile and risk management framework, including:
  • effective challenge to activities and decisions that materially affect the risk profile
  • assistance in developing and maintaining the risk management framework
  • independent reporting lines to appropriately escalate issues
  • oversight of incident management
Independent assurance on the appropriateness, effectiveness, and adequacy of the risk management framework, including that:
  • the framework is being used to support decision-making
  • 1st and 2nd lines-of-defence are operating effectively
  • improvements to the 1st and 2nd lines-of-defence are identified and recommended
  1st Line-of-Defence
  Risk Owners
(The business)
Oversight of implementation
Executive and management committees or forums
Management of implementation
Senior management
High level responsibilities
Implementation and ongoing maintenance of the risk management framework, including:
  • identification and effective management of risks; and
  • issues and incident identification, recording, escalation and management
  • managing and monitoring of remedial actions

  2nd Line-of-Defence
  Review & Challenge
(Specialists within the business)
Oversight of implementation
Operational Risk Forum
Management of implementation
Risk and compliance function
High level responsibilities
Independent oversight of the risk profile and risk management framework, including:
  • effective challenge to activities and decisions that materially affect the risk profile
  • assistance in developing and maintaining the risk management framework
  • independent reporting lines to appropriately escalate issues
  • oversight of incident management

  3rd Line-of-Defence
  Independent Assurance
(Internal audit performed by an external auditor)
Oversight of implementation
Board Audit Committee
Management of implementation
Internal audit
High level responsibilities
Independent assurance on the appropriateness, effectiveness, and adequacy of the risk management framework, including that:
  • the framework is being used to support decision-making
  • 1st and 2nd lines-of-defence are operating effectively
  • improvements to the 1st and 2nd lines-of-defence are identified and recommended

Related information

Security controls

Learn more > 


Business continuity

Learn more > 


Security compliance

Learn more >