Bupa Health Insurance is an APRA (Australian Prudential Regulation Authority) regulated entity which ensures Bupa takes measures to be resilient against information security incidents (including cyber-attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.
A key objective is to minimise the likelihood and impact of information security incidents on the confidentiality, integrity, or availability of information assets, including information assets managed by related parties or third parties by adopting appropriate principles.
Must be able to implement or support protection for data at-rest and data in-transit, data sanitisation controls and utilise data sanitisation controls, secure data sharing and data disposal methods to prevent unauthorised access, disclosure or modification of all instances (including copies, backups and archives) of classified data or documents.
EditMust be able to provide or support user identity and access management, including support for secure authentication methods, Multi-Factor-Authentication (MFA) and strong user account and password policy
EditMust be able to implement or support Role Based (RBAC) and/or Attribute or Context Based access controls for user access authorisation (privilege management) and provide a method to audit and report on user access and privilege status.
EditMust provide or support the implementation of a Secure Administration and Privileged User Access Management (PAM) method including for secure remote access methods.
EditMust provide or support a method for managing and protecting cryptographic keys, certificates, application secrets and service account and cloud tenancy passwords that are used to secure data and platforms.
EditApplication and platform components (i.e. web/cloud applications, workstation/server applications, mobile applications and operating systems) must be securely developed, configured, hardened and maintained including authenticating critical inter-component and external connections to prevent unauthorised access or impact from threats.
EditDatabase Systems must be protected using industry recommended security controls and hardening practices.
EditMust be able to provide or support a method to authenticate, validate and control devices connecting to the product or service including mobile devices, personal computing devices and external storage devices.
EditMust be able to routinely identify technical vulnerabilities of application and platform components and timely apply the necessary security patches and updates and have continuous security awareness and training for staff on threats, product security and good security practices.
EditMust be able to protect product or service platform and infrastructure components from malware, unauthorised mobile code and other similar threats
EditMust support continuous logging, auditing and monitoring of crucial application and platform level security events, user events and critical application or data transactions including: - Supporting connectivity to a continuous Security Event Monitoring service (e.g. SIEM); - Having ability to retain and protect audit, system and security logs.
EditMust have arrangements to respond, contain, investigate and manage security incidents including agreed breach notification procedures
EditMust be able to meet recovery, service continuity and high-availability/resiliency requirements including establishing recovery objectives and support arrangements to meet operational, regulatory or legal requirements.
EditMust be able to provide network protection controls and secure communication services such as firewalling, secure gateways, proxy services and wireless network controls (if used) and use network access control lists to protect exposed product or service components from external and internal threats.
EditMust be able to support a capability to manage technical assets and maintain and validate technical security configuration baselines (for hardware and software on servers, workstations, networks and mobile devices) and must follow controlled change management procedures for applications, platform and network infrastructure.
EditIf used, web browsers and /or the classified content in Emails or Messaging Services must be protected using industry recommended methods and use secure messaging infrastructure.
EditMust demonstrate adequate governance and processes in place to manage security risks to data, products and services including threats from sub-contractors, partners and related third-parties.
EditMust be able to demonstrate adequate Physical Security and Environmental Protection for data and product components.
EditMust ensure Application Program Interfaces (API’s) incorporate protection controls to safeguard from internal and external threats.
Edit