Secure by design
Our aim is to design and implement information systems and software applications that are secure, stable and reliable. We understand the threats to each information system and use this understanding to design and deploy security controls.
During the planning and designing phase, the security operations team, IT architects and designers perform threat modelling. This allows us to:
- understand the risks associated with the information system or application
- identify weaknesses in the design that could be exploited by an attacker
- establish the necessary security controls to mitigate threats.
All designs undergo peer review by a team of specialists and are approved before deployment.
In addition, all security control requirements are tracked through to implementation and deployment. Our IT systems also undergo several assessment and assurance activities, including penetration testing – as described below.
Secure development
![]() |
Although we mainly buy software products or use cloud services from third-party vendors, there are times where we develop bespoke information systems to meet specific business needs. Creating a bespoke information system requires several security activities, a process known as a Secure Development Lifecycle (SDLC) process.
|
Penetration testing
We employ an independent security consultancy to perform penetration testing and security code review of our bespoke information system(s). Penetration testing involves a tester who understands computer vulnerabilities and attack methods to breach a system or application. Security code review involves evaluating the source code of the system or application for defects. The consultant may attempt to exploit source code issues using penetration testing techniques. Security concerns discovered during the test are addressed by the team prior to deployment.
Secure controls
We have numerous security controls and measures in place to protect sensitive and confidential information from threats, vulnerabilities, and unauthorised access.
It’s vital that we protect our information, systems, and other hardware and software that store or transmit data. To help us do this, we perform regular security assessments to identify threats and align with globally recognised industry standards and frameworks to design, develop, implement, and maintain security controls that are as robust as possible.
To learn more about how we secure our systems, information and third-party products and services, visit Security controls.
Related information
Third-party service providersLearn more > |
Security complianceLearn more > |
Security operationsLearn more > |
Our aim is to design and implement information systems and software applications that are secure, stable and reliable. We understand the threats to each information system and use this understanding to design and deploy security controls.
During the planning and designing phase, the security operations team, IT architects and designers perform threat modelling. This allows us to:
- understand the risks associated with the information system or application
- identify weaknesses in the design that could be exploited by an attacker
- establish the necessary security controls to mitigate threats.
All designs undergo peer review by a team of specialists and are approved before deployment.
In addition, all security control requirements are tracked through to implementation and deployment. Our IT systems also undergo several assessment and assurance activities, including penetration testing – as described below.

Secure development
Although we mainly buy software products or use cloud services from third-party vendors, there are times where we develop bespoke information systems to meet specific business needs.
Creating a bespoke information system requires several security activities, a process known as a Secure Development Lifecycle (SDLC) process.
- our developers are trained in secure software development
- source code is peer reviewed by the development team
- our source code repository includes an automated code analysis tool that detects common security threats and vulnerabilities
- our software testers develop and perform a set of security-related checks that are specific to the information system or application

Penetration testing
We employ an independent security consultancy to perform penetration testing and security code review of our bespoke information system(s). Penetration testing involves a tester who understands computer vulnerabilities and attack methods to breach a system or application. Security code review involves evaluating the source code of the system or application for defects. The consultant may attempt to exploit source code issues using penetration testing techniques. Security concerns discovered during the test are addressed by the team prior to deployment.
Secure controls
We have numerous security controls and measures in place to protect sensitive and confidential information from threats, vulnerabilities, and unauthorised access.
It’s vital that we protect our information, systems, and other hardware and software that store or transmit data. To help us do this, we perform regular security assessments to identify threats and align with globally recognised industry standards and frameworks to design, develop, implement, and maintain security controls that are as robust as possible.
To learn more about how we secure our systems, information and third-party products and services, visit Security controls.
Related information
Third-party service providersLearn more > |
Security complianceLearn more > |
Security operationsLearn more > |