Security is essential to safeguard our organisation and especially the information we hold about members and business customers. We need to protect our people, data, information and systems - and our brand. Our leadership team is committed to creating a culture where everyone is proactively responsible for security at work, complying with all applicable legislation, and working on best practices.

When it comes to managing and mitigating risks related to confidentiality, integrity, and availability of information and our IT systems, we plan and prepare thoroughly – not just for the expected threats, but for the leftfield risks too.


Security is essential to safeguard our organisation and especially the information we hold about members and business customers. We need to protect our people, data, information and systems - and our brand. Our leadership team is committed to creating a culture where everyone is proactively responsible for security at work, complying with all applicable legislation, and working on best practices.

When it comes to managing and mitigating risks related to confidentiality, integrity, and availability of information and our IT systems, we plan and prepare thoroughly – not just for the expected threats, but for the leftfield risks too.


Event
A log of usual or unusual activities that occur within a system, application, or network. For example, any software updates or installations happening to devices, network load, system or application errors and more.

Incident
An event that may cause threat to information or systems of an organisation, or to the privacy of our members. This includes transmission, retrieval, and storage of information.

IT system
Information Technology (IT) services and applications that support a set of business processes, and store and manage information. 

Security control
A safeguard or measure that’s implemented to avoid, detect or minimise security risks to data, business applications, systems or physical property. 

Security patch
A fix or a modification made to a software or hardware to address a vulnerability, or to help improve reliability and security of a product. 

System hardening
The process of assessing operating system software, applications, cloud services configuration options, and selecting settings that maximise the security while still allowing the product or service to operate.

Third-party service provider
An external partner, vendor, consultant, or an independent contractor that provides specialised products, services and other expertise to Southern Cross.  

Vulnerability
A software defect or misconfiguration that could be exploited to gain unauthorised access to an IT system.

Our operation

How we identify, monitor, and report security issues


Vulnerability management

Detecting potential security risks, even before they happen, is one of our Security team’s most crucial tasks. By proactively monitoring our environment to identify security threats and vulnerabilities in real-time, we can act immediately should a hacker try to break into our network and steal sensitive information.

To help us in our fight against cyber threats, we’ve deployed various scanning tools to assist with the search, identification and validation of vulnerabilities. These can effectively inform us of the potential impact to the organisation. These scans are performed at least monthly to ensure that any new weaknesses are reported as soon as possible. It also allows us to gauge the effectiveness of the countermeasures that we’ve deployed to protect our systems.

Vulnerability management provides continuous checking and verification of security risks to our business. It allows us to act fast and carry out quick fixes to any short-term issues, and focus on bigger, more critical risks to the organisation.


Event log management

IT systems within Southern Cross are configured to perform event logging. Event logging is performed to ensure we can carry out troubleshooting and trend analysis. It also helps us better understand irregular system behaviour.

By being able to view potential issues, which are correlated and entered into a central log management system, we can better understand how our systems are functioning and if they’re performing as expected. Where multiple irregular events are identified, we investigate and address this as part of the incident management process.

Our security team are supported by third-party security consultants, and together they ensure all our systems and applications have been configured appropriately to ensure that if there is any unusual behaviour on our system, we’ll likely detect it.


GettyImages-1170276862Incident management

Incident management helps us prepare for unexpected security threats that may impact or harm our environment. These threats can relate to hardware, software, and other services.

All our IT systems and applications have triggers enabled which alert our security team to any unusual system behaviour or known security threats. We also work with third-party service providers who support us by monitoring our network and systems. They collect logs of generic events using various scanning tools, analyse, and flag any suspicious activity to our security team for investigation.

 

GettyImages-1170276862

Incident management

Incident management helps us prepare for unexpected security threats that may impact or harm our environment. These threats can relate to hardware, software, and other services.

All our IT systems and applications have triggers enabled which alert our security team to any unusual system behaviour or known security threats. We also work with third-party service providers who support us by monitoring our network and systems. They collect logs of generic events using various scanning tools, analyse, and flag any suspicious activity to our security team for investigation.

 

Responding to potential threats

To help us respond to security incidents, we’ve implemented an Incident Response Plan (IRP). The IRP outlines the procedures we use to detect and respond to unauthorised access or disclosure of private information. It also defines:

  • roles and responsibilities of the teams responsible for security
  • measures to be taken to address the incident
  • tools for managing the incident
  • steps on how the incident must be investigated, communicated, resolved, and closed
  • communication among affected stakeholders
     

Continuous development

After a security incident is resolved, we’ll perform root cause analysis. This allows us to document complete details of the incident to prevent it from happening again.

In addition, we implement practices designed to proactively reduce the risk of a privacy or data breach. These include training our team members on compliance requirements and putting in place appropriate physical security and environmental controls for our IT infrastructure.


Change management

Implementing IT changes without any interruption to our services is crucial, so our change management process ensures all changes are logged and assessed for impact, cost, benefit and risk.

We perform pre-deployment activities, and these include developing a business justification, planning and scheduling of changes, as well as obtaining prior approval from a change manager and the change advisory board. This ensures changes are reviewed, deployed, and closed in a controlled, effective manner.


Privacy breach

A privacy breach occurs when there is unauthorised access or disclosure of private information from IT systems and applications.

We constantly monitor our environment and have security controls in place aimed at preventing privacy data breaches. However, if a breach does occur, the focus becomes on minimising the reach and impact of the breach.

GettyImages-1078006980

A privacy breach occurs when there is unauthorised access or disclosure of private information from IT systems and applications.

We constantly monitor our environment and have security controls in place aimed at preventing privacy data breaches. However, if a breach does occur, the focus becomes on minimising the reach and impact of the breach.

GettyImages-1078006980

Tell us about our security

Although it’s highly unlikely that any gremlins will get into our system, we want to hear about them if they do. So, should you come across anything that seems fishy when you’re using our products and services, please contact us.


Related information

 

Member privacy statement


Learn more >
 

Security controls


Learn more >
 

Security systems and information


Learn more >


Related information

 

Member privacy statement
 


Learn more >

Security controls
 


Learn more >

Security systems and information


Learn more >