Our security approach and security controls

Audit logging is enabled across all information technology (IT) systems, with logs centralised for management. Access controls ensure that users are authenticated and authorised based on their roles within Southern Cross through Role-Based Access Control (RBAC), limiting access to the minimum information necessary for their functions.
All privileged accounts require Multi-Factor Authentication (MFA), and everyone is assigned a unique user ID with Single Sign-On (SSO) for application access.
Access approvals are managed by system owners and validated periodically, with rights revoked promptly when an employee changes roles or leaves the Society.
We have documented requirements for managing login accounts for accessing information, systems, devices, and networks that apply to everyone (including contractors and third parties) who utilise or manage these accounts.
Our password policy aligns with National Institute of Standards and Technology (NIST) guidelines, and Azure Active Directory (AD) password protection is implemented to enhance security.

Endpoint protection agents are deployed to all devices on the network.
Monitoring and alert response is provided by a managed Secure Operation Centre (SOC) service 24/7.
Southern Cross use industry-standard configuration recommendations produced by the Centre for Internet Security (CIS).
We have documented requirements for the management and protection of Southern Cross’s devices – including the minimum requirements to which a Southern Cross device should comply, to provide appropriate protection.
All configuration recommendations are assessed and approved by the Information Security Team, and only the applicable standards are implemented.

Firewalls are strategically deployed throughout our network, ensuring that all connections to external networks are securely terminated.
For remote access, we enforce conditional access rules, requiring everyone to utilise multi-factor authentication.
We employ Network Intrusion Detection and Prevention Systems (NIDS/NIPS) and collaborate with external consultancy firms for penetration testing, code reviews, and configuration compliance assessments tailored to the criticality of our information technology (IT) systems.
Our network includes a demilitarized zone (DMZ) environment dedicated to the transmission, processing, or storage of scoped systems and data.
We have documented requirements for systems and devices that manage and access our technology networks, including mandated configurations and change processes.

All crucial IT systems and applications are equipped with alerts to notify our security team of unusual behaviour or known threats. Additionally, we collaborate with third-party service providers to monitor our network and systems, collecting and analysing logs to identify suspicious activities for further investigation. To bolster our defences, we also employ anti-malware and intrusion detection software on all workstations and servers.
We have documented procedures for detecting and responding to unauthorised access or data disclosure. These include defined team roles and responsibilities, incident management tools, and the necessary steps for investigation, communication, resolution, and stakeholder engagement.
To safeguard against data loss in the event of a serious incident, Southern Cross implements two key strategies: we regularly back up our data securely and host our IT systems and data in data centres across multiple geographic regions. This approach minimises service disruptions caused by natural disasters, security breaches, or deliberate attacks.
Additionally, we conduct annual testing of our Disaster Recovery and Business Continuity plans for critical business systems, which includes transitioning from production to standby/disaster recovery environments to ensure effectiveness.

Our Information Technology (IT) systems are subject to rigorous assessment activities, including penetration testing and vulnerability scans of websites, applications, and networks.
Our information security team continuously proactively monitors our environment for real-time threats and vulnerabilities so we can swiftly respond to any attempts to breach our network and safeguard sensitive information.
Our vulnerability management programme ensures ongoing assessment and verification of security risks, allowing us to implement immediate fixes for short-term issues while prioritising more significant threats.

If you think you may have found a vulnerability in our systems, we’d like to hear from you.
Please note: we do not operate a bug bounty program.

Please provide an email address, and our security team will contact you to arrange sharing your findings:

Please help protect our information by

The information security team plays a critical role in the design and implementation of information technology (IT) systems by identifying security requirements during the project planning phase, ensuring that security is integrated throughout all stages of design and development. This comprehensive approach allows for security to be tracked and tested until deployment, aiming to create information systems and software applications that are secure, stable, and reliable.
During the planning and design phases, the information security team includes IT architects and designers to perform threat modelling, which helps to identify risks, weaknesses, and necessary security controls. All major designs undergo peer review by specialists and receive approval before deployment. We maintain separate development, testing, and staging environments from production to ensure access control requirements are meticulously tracked through to implementation.
All new or significantly altered systems must undergo penetration testing before going live, ensuring a secure and effective deployment.
Our process involves assessing configuration settings to maximize security while maintaining functionality, guided by industry-standard recommendations from the Centre for Internet Security (CIS). All major configuration recommendations are evaluated and approved by the information security team prior to implementation.