1. Home
  2. Join
  3. Trust Centre
  4. Security
  5. Systems and information

Protect customer information

Safeguarding customer information against security threats is one of our biggest responsibilities. We operate several information systems that deliver digital services to our members, healthcare providers, advisers, business customers, and our team members.

It’s essential that we provide services that are secure and reliable, and we demonstrate this by continuously assessing and improving security in our Information Technology (IT) services and applications, and by complying with globally recognised standards.

Our ongoing effort to improve security helps us deliver better, safer services and operate the Society efficiently and cost-effectively.


Protect customer information

Safeguarding customer information against security threats is one of our biggest responsibilities. We operate several information systems that deliver digital services to our members, healthcare providers, advisers, business customers, and our team members.

It’s essential that we provide services that are secure and reliable, and we demonstrate this by continuously assessing and improving security in our Information Technology (IT) services and applications, and by complying with globally recognised standards.

Our ongoing effort to improve security helps us deliver better, safer services and operate the Society efficiently and cost-effectively.


Cloud
An outsourcing model that allows organisations to use IT systems that are delivered over the Internet, rather than being physically housed within their building. Depending on the type of cloud service, the third-party provider will perform some or all the activities required to deliver the IT system and keep it secure.
 

IT system
IT services and applications that support a set of business processes, and store and manage information.

Penetration testing
An intensive testing process where an expert in the security testing techniques, also known as a hacker, attempts to breach an IT system. This helps identify vulnerabilities that can be addressed by the security team.
 

Security control
A safeguard or measure that’s implemented to avoid, detect or minimise security risks to data, business applications, systems or physical property.
 

Threat modelling
Identifying, assessing, then reducing security vulnerabilities during the design phase of a software application or an IT system.

Secure by design

GettyImages-1141078949Our aim is to design and implement information systems and software applications that are secure, stable and reliable. We understand the threats to each information system and use this understanding to design and deploy security controls.

During the planning and designing phase, the security operations team, IT architects and designers perform threat modelling. This allows us to:

  • understand the risks associated with the information system or application
  • identify weaknesses in the design that could be exploited by an attacker
  • establish the necessary security controls to mitigate threats.

All designs undergo peer review by a team of specialists and are approved before deployment.

In addition, all security control requirements are tracked through to implementation and deployment. Our IT systems also undergo several assessment and assurance activities, including penetration testing – as described below. 

Secure development


GettyImages-1180183363 

Although we mainly buy software products or use cloud services from third-party vendors, there are times where we develop bespoke information systems to meet specific business needs.

Creating a bespoke information system requires several security activities, a process known as a Secure Development Lifecycle (SDLC) process.

  • our developers are trained in secure software development
  • source code is peer reviewed by the development team
  • our source code repository includes an automated code analysis tool that detects common security threats and vulnerabilities
  • our software testers develop and perform a set of security-related checks that are specific to the information system or application

Penetration testing

We employ an independent security consultancy to perform penetration testing and security code review of our bespoke information system(s). Penetration testing involves a tester who understands computer vulnerabilities and attack methods to breach a system or application. Security code review involves evaluating the source code of the system or application for defects. The consultant may attempt to exploit source code issues using penetration testing techniques. Security concerns discovered during the test are addressed by the team prior to deployment.
 

Secure controls

GettyImages-1081106122We have numerous security controls and measures in place to protect sensitive and confidential information from threats, vulnerabilities, and unauthorised access.

It’s vital that we protect our information, systems, and other hardware and software that store or transmit data. To help us do this, we perform regular security assessments to identify threats and align with globally recognised industry standards and frameworks to design, develop, implement, and maintain security controls that are as robust as possible.

To learn more about how we secure our systems, information and third-party products and services, visit Security controls.

Related information

 

Third-party service providers


Learn more >

Security compliance


Learn more >

Security operations


Learn more >




Our aim is to design and implement information systems and software applications that are secure, stable and reliable. We understand the threats to each information system and use this understanding to design and deploy security controls.

During the planning and designing phase, the security operations team, IT architects and designers perform threat modelling. This allows us to:

  • understand the risks associated with the information system or application
  • identify weaknesses in the design that could be exploited by an attacker
  • establish the necessary security controls to mitigate threats.

All designs undergo peer review by a team of specialists and are approved before deployment.

In addition, all security control requirements are tracked through to implementation and deployment. Our IT systems also undergo several assessment and assurance activities, including penetration testing – as described below.

GettyImages-1141078949
 

Secure development

Although we mainly buy software products or use cloud services from third-party vendors, there are times where we develop bespoke information systems to meet specific business needs.

Creating a bespoke information system requires several security activities, a process known as a Secure Development Lifecycle (SDLC) process.

  • our developers are trained in secure software development
  • source code is peer reviewed by the development team
  • our source code repository includes an automated code analysis tool that detects common security threats and vulnerabilities
  • our software testers develop and perform a set of security-related checks that are specific to the information system or application
GettyImages-1180183363

Penetration testing

We employ an independent security consultancy to perform penetration testing and security code review of our bespoke information system(s). Penetration testing involves a tester who understands computer vulnerabilities and attack methods to breach a system or application. Security code review involves evaluating the source code of the system or application for defects. The consultant may attempt to exploit source code issues using penetration testing techniques. Security concerns discovered during the test are addressed by the team prior to deployment.

Secure controls

We have numerous security controls and measures in place to protect sensitive and confidential information from threats, vulnerabilities, and unauthorised access.

It’s vital that we protect our information, systems, and other hardware and software that store or transmit data. To help us do this, we perform regular security assessments to identify threats and align with globally recognised industry standards and frameworks to design, develop, implement, and maintain security controls that are as robust as possible.

To learn more about how we secure our systems, information and third-party products and services, visit Security controls.

GettyImages-1081106122

 

Related information

 

Third-party service providers


Learn more >
 

Security compliance


Learn more >
 

Security operations


Learn more >