Loading component...

Trust centre

Home

Security approach and controls

Loading component...

Security approach and controls

Access controls

Audit logging is enabled across all information technology (IT) systems, with logs centralised for management. Access controls ensure that users are authenticated and authorised based on their roles within Southern Cross through Role-Based Access Control (RBAC), limiting access to the minimum information necessary for their functions.
All privileged accounts require Multi-Factor Authentication (MFA), and everyone is assigned a unique user ID with Single Sign-On (SSO) for application access.
Access approvals are managed by system owners and validated periodically, with rights revoked promptly when an employee changes roles or leaves the Society.
We have documented requirements for managing login accounts for accessing information, systems, devices, and networks that apply to everyone (including contractors and third parties) who utilise or manage these accounts.
Our password policy aligns with National Institute of Standards and Technology (NIST) guidelines, and Azure Active Directory (AD) password protection is implemented to enhance security.

Loading component...

Endpoint security

Endpoint protection agents are deployed to all devices on the network.
Monitoring and alert response is provided by a managed Secure Operation Centre (SOC) service 24/7.
Southern Cross use industry-standard configuration recommendations produced by the Centre for Internet Security (CIS).
We have documented requirements for the management and protection of Southern Cross’s devices – including the minimum requirements to which a Southern Cross device should comply, to provide appropriate protection.
All configuration recommendations are assessed and approved by the Information Security Team, and only the applicable standards are implemented.

Loading component...

Network security

Firewalls are strategically deployed throughout our network, ensuring that all connections to external networks are securely terminated.
For remote access, we enforce conditional access rules, requiring everyone to utilise multi-factor authentication.
We employ Network Intrusion Detection and Prevention Systems (NIDS/NIPS) and collaborate with external consultancy firms for penetration testing, code reviews, and configuration compliance assessments tailored to the criticality of our information technology (IT) systems.
Our network includes a demilitarized zone (DMZ) environment dedicated to the transmission, processing, or storage of scoped systems and data.
We have documented requirements for systems and devices that manage and access our technology networks, including mandated configurations and change processes.

Loading component...

Incident response and disaster recovery

All crucial IT systems and applications are equipped with alerts to notify our security team of unusual behaviour or known threats. Additionally, we collaborate with third-party service providers to monitor our network and systems, collecting and analysing logs to identify suspicious activities for further investigation. To bolster our defences, we also employ anti-malware and intrusion detection software on all workstations and servers.
We have documented procedures for detecting and responding to unauthorised access or data disclosure. These include defined team roles and responsibilities, incident management tools, and the necessary steps for investigation, communication, resolution, and stakeholder engagement.
To safeguard against data loss in the event of a serious incident, Southern Cross implements two key strategies: we regularly back up our data securely and host our IT systems and data in data centres across multiple geographic regions. This approach minimises service disruptions caused by natural disasters, security breaches, or deliberate attacks.
Additionally, we conduct annual testing of our Disaster Recovery and Business Continuity plans for critical business systems, which includes transitioning from production to standby/disaster recovery environments to ensure effectiveness.

Loading component...

Vulnerability and patch management

Our Information Technology (IT) systems are subject to rigorous assessment activities, including penetration testing and vulnerability scans of websites, applications, and networks.
Our information security team continuously proactively monitors our environment for real-time threats and vulnerabilities so we can swiftly respond to any attempts to breach our network and safeguard sensitive information.
Our vulnerability management programme ensures ongoing assessment and verification of security risks, allowing us to implement immediate fixes for short-term issues while prioritising more significant threats.

Loading component...

How to report a security vulnerability

If you think you may have found a vulnerability in our systems, we’d like to hear from you.
Please note: we do not operate a bug bounty program.

Please provide an email address, and our security team will contact you to arrange sharing your findings:

Please help protect our information by

Handling it in accordance with local laws.
Not accessing, modifying or deleting any data.
Not publicly disclosing findings.

Secure system design

The information security team plays a critical role in the design and implementation of information technology (IT) systems by identifying security requirements during the project planning phase, ensuring that security is integrated throughout all stages of design and development. This comprehensive approach allows for security to be tracked and tested until deployment, aiming to create information systems and software applications that are secure, stable, and reliable.
During the planning and design phases, the information security team includes IT architects and designers to perform threat modelling, which helps to identify risks, weaknesses, and necessary security controls. All major designs undergo peer review by specialists and receive approval before deployment. We maintain separate development, testing, and staging environments from production to ensure access control requirements are meticulously tracked through to implementation.
All new or significantly altered systems must undergo penetration testing before going live, ensuring a secure and effective deployment.
Our process involves assessing configuration settings to maximize security while maintaining functionality, guided by industry-standard recommendations from the Centre for Internet Security (CIS). All major configuration recommendations are evaluated and approved by the information security team prior to implementation.

Loading component...

Loading component...

Loading component...

Security approach and controls

Access controls

Loading component...

Endpoint security

Loading component...

Network security

Loading component...

Incident response and disaster recovery

Loading component...

Vulnerability and patch management

Loading component...

How to report a security vulnerability

Secure system design

Loading component...

What we offer

Who we're for

Important information

Quick links

Help links

Loading component...

Loading component...

Endpoint security

Network security

Incident response and disaster recovery

Vulnerability and patch management

Secure system design

What we offer

Who we're for

Important information

Quick links

Help links

Loading component...

Loading component...

Loading component...

Loading component...

Loading component...

In this section

Loading component...

Loading component...

Security approach and controls

Access controls

Loading component...

Endpoint security

Loading component...

Network security

Loading component...

Incident response and disaster recovery

Loading component...

Vulnerability and patch management

Loading component...

How to report a security vulnerability

Secure system design

Loading component...

What we offer

Who we're for

Important information

Quick links

Help links

In this section

Endpoint security

Network security

Incident response and disaster recovery

Vulnerability and patch management

Secure system design

What we offer

Who we're for

Important information

Quick links

Help links

Loading component...

Loading component...

Loading component...

Loading component...

Loading component...