The Digital Service Provider (DSP) Operational Security Framework
part of the ATO’s response to the business risks and security implications presented by the growth of digital services across the digital
economy. The DSP OSF was recently reviewed with the updated requirements released in August 2021.
If a DSP provides a software product or service that reads, stores, modifies or routes any taxation, accounting, payroll, business registry or superannuation related information, then that DSP is in scope of the OSF and will need to meet the specific security and business requirements.
DSPANZ members were heavily involved in the co-design and initial implementation of the DSP OSF and continue to be involved in the ongoing review and refinement of the framework.
All DSPs wanting to use ATO digital services will need to meet the relevant requirements which can include, but is not limited to:
- Audit logging
- Data hosting
- Encryption key management
- Encryption at rest
- Encryption in transit
- Entity validation
- Personnel security
- Security monitoring
- Supply chain
- Third party add-ons