Loading component...

Security governance

Security Governance is our overall approach to security management

The security of our information assets - Information Technology (IT) systems, services, and data - is the responsibility of the Southern Cross Health Society Board and the Board’s Audit and Risk Committee.

The Board’s role is to establish the security governance structure and to:

define the board sub-committees
identify executive responsibilities
develop risk management and security assurance functions

Loading component...

Loading component...

The Board also determines the organisation’s risk appetite, which is the level of risk the Society is prepared to accept. They then:

approve the risk management policy and framework
monitor the information security and the risk status

In addition, we have an Information Security Governance Committee (ISGC) and an Operational Risk Forum (ORF). They are responsible for non-Board security governance within the Society, and help ensure:

the information security strategy is well defined
the strategy aligns with the goals of the Society and with the Board’s stated risk appetite
the development, implementation, and maintenance of the information security practices are carried out properly
compliance and alignment with industry standards have been met

Security Management

The Head of Information Security (HoIS) oversees day-to-day security operations with teams responsible for:

The HoIS aligns information security with business requirements, establishes and maintains a framework of measuring and reporting on security risks, attends the Board Audit and Risk Committee and is a member of the ISGC and ORF committees.

Loading component...

Risk management

The Society has a ‘3 lines of defence’ model. This provides oversight and assurance over how we implement the Risk Management Policy, Framework and Risk Appetite statement.

The model, which aligns with the ISO31000 standard, helps to distinguish risk management according to function, for example:

functions that own and manage risks
functions that oversee risks
functions that provide independent assurance

Loading component...

Loading component...

Information asset management and security is one of the most important areas of operational risk and is closely monitored by all three lines of defence.

1st line of defence: applies to all employees in the business units - they identify, assess and manage the risk and control environment.
2nd line of defence: the Risk, Compliance and Investigations teams - they oversee, monitor, guide and challenge 1st line activities.
3rd line of defence: relates predominantly to internal and external auditors - they provide independent assurance for the Board and the leadership team over risk culture and the effectiveness of the risk management framework.

Loading component...

The Three Lines of Defence Model

	1st Line-of-Defence	2nd Line-of-Defence	3rd Line-of-Defence
	Risk Owners (The business)	Review & Challenge (Specialists within the business)	Independent Assurance (Internal audit performed by an external auditor)
Oversight of implementation	Executive and management committees or forums	Operational Risk Forum	Board Audit Committee
Management of implementation	Senior management	Risk and compliance function	Internal audit
High level responsibilities	Implementation and ongoing maintenance of the risk management framework, including: identification and effective management of risks; and issues and incident identification, recording, escalation and management managing and monitoring of remedial actions	Independent oversight of the risk profile and risk management framework, including: effective challenge to activities and decisions that materially affect the risk profile assistance in developing and maintaining the risk management framework independent reporting lines to appropriately escalate issues oversight of incident management	Independent assurance on the appropriateness, effectiveness, and adequacy of the risk management framework, including that: the framework is being used to support decision-making 1st and 2nd lines-of-defence are operating effectively improvements to the 1st and 2nd lines-of-defence are identified and recommended

Loading component...

	1st Line-of-Defence
	Risk Owners (The business)
Oversight of implementation	Executive and management committees or forums
Management of implementation	Senior management
High level responsibilities	Implementation and ongoing maintenance of the risk management framework, including: identification and effective management of risks; and issues and incident identification, recording, escalation and management managing and monitoring of remedial actions

	2nd Line-of-Defence
	Review & Challenge (Specialists within the business)
Oversight of implementation	Operational Risk Forum
Management of implementation	Risk and compliance function
High level responsibilities	Independent oversight of the risk profile and risk management framework, including: effective challenge to activities and decisions that materially affect the risk profile assistance in developing and maintaining the risk management framework independent reporting lines to appropriately escalate issues oversight of incident management

	3rd Line-of-Defence
	Independent Assurance (Internal audit performed by an external auditor)
Oversight of implementation	Board Audit Committee
Management of implementation	Internal audit
High level responsibilities	Independent assurance on the appropriateness, effectiveness, and adequacy of the risk management framework, including that: the framework is being used to support decision-making 1st and 2nd lines-of-defence are operating effectively improvements to the 1st and 2nd lines-of-defence are identified and recommended

Loading component...

Loading component...

Security governance