Security systems and information

Protecting customer information

Safeguarding customer information against security threats is one of our biggest responsibilities. We operate several information systems that deliver digital services to our members, healthcare providers, advisers, business customers, and our team members.

It’s essential that we provide services that are secure and reliable, and we demonstrate this by continuously assessing and improving security in our Information Technology (IT) services and applications, and by complying with globally recognised standards.

Our ongoing effort to improve security helps us deliver better, safer services and operate the Society efficiently and cost-effectively.

  • Glossary

    Control uplift
    Increasing the maturity and effectiveness of a security control.

    IT risk
    The possibility that an IT system has a breach or other failure that leads to data loss, data integrity issues, or is unavailable. Risk is quantified in terms of likelihood and consequence. Most organisations have a ‘risk appetite’, which is the level of risk the organisation is prepared to accept. High likelihood and high consequence risks are never accepted, while low likelihood and low consequence risks may be completely acceptable unless they are easy to address.

    IT systems
    IT services and applications that support a set of business processes, and store and manage information.

    Penetration testing
    An intensive testing process where an expert in security testing (or “hacking”) techniques attempts to breach an IT system. This helps identify vulnerabilities that can be addressed before a malicious person finds them.

    Personal Identifiable Information (PII)
    Information about an identifiable individual, such as a member, employee, provider or adviser, governed by New Zealand’s privacy laws and (where it contains health information) the Health Information Privacy Code.

    Security control
    A safeguard or measure that we’ve implemented to avoid, detect or minimise security risks to data, business applications, systems or physical property.

    Third-party provider
    An external partner, vendor, consultant, or an independent contractor that provides specialised products, services and other expertise to Southern Cross.

Secure by design

Our aim is to design and implement information systems and software applications that are secure, stable and reliable. We understand the threats to each information system and use this understanding to design and deploy security controls.

During the planning and designing phase, the security operations team, IT architects and designers perform threat modelling. This allows us to:

  • understand the risks associated with the information system or application
  • identify weaknesses in the design that could be exploited by an attacker
  • establish the necessary security controls to mitigate threats.

All designs undergo peer review by a team of specialists and are approved before deployment.

In addition, all security control requirements are tracked through to implementation and deployment. Our IT systems also undergo several assessment and assurance activities, including penetration testing – as described below.

Secure development

Although we mainly buy software products or use cloud services from third-party vendors, there are times where we develop bespoke information systems to meet specific business needs.

Creating a bespoke information system requires several security activities, a process known as a Secure Development Lifecycle (SDLC) process.

  • our developers are trained in secure software development
  • source code is peer reviewed by the development team
  • our source code repository includes an automated code analysis tool that detects common security threats and vulnerabilities
  • our software testers develop and perform a set of security-related checks that are specific to the information system or application

Penetration testing

We employ an independent security consultancy to perform penetration testing and security code review of our bespoke information system(s). Penetration testing involves a tester who understands computer vulnerabilities and attack methods to breach a system or application. Security code review involves evaluating the source code of the system or application for defects. The consultant may attempt to exploit source code issues using penetration testing techniques. Security concerns discovered during the test are addressed by the team prior to deployment.

Secure controls

We have numerous security controls and measures in place to protect sensitive and confidential information from threats, vulnerabilities, and unauthorised access

It’s vital that we protect our information, systems, and other hardware and software that store or transmit data. To help us do this, we perform regular security assessments to identify threats and align with globally recognised industry standards and frameworks to design, develop, implement, and maintain security controls that are as robust as possible.

To learn more about how we secure our systems, information and third-party products and services, visit Security controls.

Related information

Third-party service providers

Learn more > 

Security compliance

Learn more > 

Security operations

Learn more >