Loading component...

Security systems and information

Protecting customer information

Safeguarding customer information against security threats is one of our biggest responsibilities. We operate several information systems that deliver digital services to our members, healthcare providers, advisers, business customers, and our team members.

It’s essential that we provide services that are secure and reliable, and we demonstrate this by continuously assessing and improving security in our Information Technology (IT) services and applications, and by complying with globally recognised standards.

Our ongoing effort to improve security helps us deliver better, safer services and operate the Society efficiently and cost-effectively.

Loading component...

Control uplift
Increasing the maturity and effectiveness of a security control.

IT risk
The possibility that an IT system has a breach or other failure that leads to data loss, data integrity issues, or is unavailable. Risk is quantified in terms of likelihood and consequence. Most organisations have a ‘risk appetite’, which is the level of risk the organisation is prepared to accept. High likelihood and high consequence risks are never accepted, while low likelihood and low consequence risks may be completely acceptable unless they are easy to address.

IT systems
IT services and applications that support a set of business processes, and store and manage information.

Penetration testing
An intensive testing process where an expert in security testing (or “hacking”) techniques attempts to breach an IT system. This helps identify vulnerabilities that can be addressed before a malicious person finds them.

Personal Identifiable Information (PII)
Information about an identifiable individual, such as a member, employee, provider or adviser, governed by New Zealand’s privacy laws and (where it contains health information) the Health Information Privacy Code.

Security control
A safeguard or measure that we’ve implemented to avoid, detect or minimise security risks to data, business applications, systems or physical property.

Third-party provider
An external partner, vendor, consultant, or an independent contractor that provides specialised products, services and other expertise to Southern Cross.

Loading component...

Secure by design

Our aim is to design and implement information systems and software applications that are secure, stable and reliable. We understand the threats to each information system and use this understanding to design and deploy security controls.

During the planning and designing phase, the security operations team, IT architects and designers perform threat modelling. This allows us to:

understand the risks associated with the information system or application
identify weaknesses in the design that could be exploited by an attacker
establish the necessary security controls to mitigate threats.

Loading component...

Loading component...

All designs undergo peer review by a team of specialists and are approved before deployment.

In addition, all security control requirements are tracked through to implementation and deployment. Our IT systems also undergo several assessment and assurance activities, including penetration testing – as described below.

Secure development

Although we mainly buy software products or use cloud services from third-party vendors, there are times where we develop bespoke information systems to meet specific business needs.

Creating a bespoke information system requires several security activities, a process known as a Secure Development Lifecycle (SDLC) process.

Loading component...

our developers are trained in secure software development
source code is peer reviewed by the development team
our source code repository includes an automated code analysis tool that detects common security threats and vulnerabilities
our software testers develop and perform a set of security-related checks that are specific to the information system or application

Penetration testing

We employ an independent security consultancy to perform penetration testing and security code review of our bespoke information system(s). Penetration testing involves a tester who understands computer vulnerabilities and attack methods to breach a system or application. Security code review involves evaluating the source code of the system or application for defects. The consultant may attempt to exploit source code issues using penetration testing techniques. Security concerns discovered during the test are addressed by the team prior to deployment.

Loading component...

Secure controls

We have numerous security controls and measures in place to protect sensitive and confidential information from threats, vulnerabilities, and unauthorised access

It’s vital that we protect our information, systems, and other hardware and software that store or transmit data. To help us do this, we perform regular security assessments to identify threats and align with globally recognised industry standards and frameworks to design, develop, implement, and maintain security controls that are as robust as possible.

To learn more about how we secure our systems, information and third-party products and services, visit Security controls.

Loading component...

Loading component...

Loading component...

Security systems and information

Protecting customer information

Loading component...

Loading component...

Secure by design

Loading component...

Loading component...

Secure development

Loading component...

Penetration testing

Loading component...

Secure controls

Loading component...

Loading component...

Related information

Third-party service providers

Security compliance

What we offer

Who we're for

Important information

Quick links

Help links

Loading component...

Loading component...

Protecting customer information

Penetration testing

What we offer

Who we're for

Important information

Quick links

Help links

Loading component...

Loading component...

Loading component...

Loading component...

Loading component...

In this section

Loading component...

Security systems and information

Protecting customer information

Loading component...

Glossary

Loading component...

Secure by design

Loading component...

Loading component...

Secure development

Loading component...

Penetration testing

Loading component...

Secure controls

Loading component...

Loading component...

Related information

Third-party service providers

Security compliance

What we offer

Who we're for

Important information

Quick links

Help links

In this section

Protecting customer information

Glossary

Penetration testing

What we offer

Who we're for

Important information

Quick links

Help links

Loading component...

Loading component...

Loading component...

Loading component...

Loading component...