Cloud products reading, storing, modifying or routing taxation, accounting, payroll, business registry or superannuation data will
fall under either Category A, B or C of the
Operational Security Framework (OSF).
The following requirements are mandatory for all cloud products:
Audit Logging
About the Requirement | Evidence Required |
Audit logging enables the traceability of access and actions within software products which can be used to detect anomalies or support
the investigation of a security incident. Logs must be kept for a minimum of 12 months and need to include:
|
DSPs must provide dummy or authentic (with sensitive information redacted) access and event logs which include:
DSPs can provide an audit log policy to support this requirement. |
Authentication
About the Requirement | Evidence Required |
Cloud products must have Multi-Factor Authentication (MFA) in place for all users. MFA is also required for any DSP staff with
privileged user access. Under this requirement:
Social media credentials (Google, Microsoft, Facebook etc.) are not recommended for MFA, however, if your product is based on the use
of social media credentials, you must contact the DPO. |
|
Certification
About the Requirement | Evidence Required |
The level of certification you are required to meet is dependent on whether your products fall under category A, B or C below. More information about each of these certifications and how they apply under the OSF can be found on pages 17 - 20 of the OSF requirements document. |
For independent certification DSPs must provide:
When self-assessing against a certification, DSPs must provide documentation demonstrating their compliance to the chosen standard including comments on why certain controls may or may not be applicable to the organisation and how they apply. |
Category A | Category B | Evidence Required |
Independent certification against either:
|
Independent certification or self-assessment against either: |
Independent certification or self-assessment against either: |
Data Hosting
About the Requirement | Evidence Required |
Data Hosting must be onshore by default. Offshore hosting arrangements, including redundant systems, are managed by exception only. Additional evidence is required for these arrangements and DSPs must consult with the ATO to ensure impacts have been addressed. Where a DSP is storing data outside of Australia, they must:
|
Provide details of your hosting provider including:
|
Encryption Key Management
About the Requirement | Evidence Required |
DSPs need to demonstrate that a policy or process is in place to govern the lifecycle management of encryption keys and minimise the
risks of compromised keys. The scope of the policy should cover:
As per Australian Government - Guidelines for using
cryptography. |
Copy of the key management policy or plan. |
Encryption at Rest
About the Requirement | Evidence Required |
DSPs must apply encryption at the disk, container, application or database level. Alternatively, DSPs may apply partial encryption to
the data at the block, field or column level. Encryption at rest should follow Australian
Government - Guidelines for using cryptography. Further controls are recommended to implement network segmentation and segregation for DSPs who have implemented encryption at rest. More information can be found at ACSC Implementation Network Segmentation and Segregation. |
One of the below:
If encryption at rest is not viable, DSPs should provide a screenshot or policy which demonstrates that all of the below have been met:
|
Encryption in Transit
About the Requirement | Evidence Required |
Encryption in transit must use an approved protocol, for example, TLS 1.2 or higher as per Australian
Government - Guidelines of using cryptography
and Annex A
of ACSC Implementing Certificates, TLS and HTTPS.
|
One of the following:
Indirectly connecting products must provide one of the following:
|
Entity Validation
About the Requirement | Evidence Required |
DSPs must implement entity validation to ensure that the consumers/users of a commercial software product are a legitimate business
and have a genuine need to access a DSPs software. DSPs must verify the entity against a reliable and independent source (e.g. the
Australian Business Register) and ensure they have valid contact details including a confirmed email and phone number. Customers who do not have an ABN (e.g. student using software for research) are only required to validate the client contact information. This does not negate the need for DSPs to meet specific service requirements relating to verification. |
DSPs need to provide evidence demonstrating that entity validation is in place as part of the product registration/purchase process. |
Personnel Security
About the Requirement | Evidence Required |
DSPs need to demonstrate that appropriate processes and procedures are in place for hiring, managing and terminating employees and
contractors. These may include but are not limited to:
Micro DSPs (one or two employees) are exempt from this requirement unless contractors or non-employees have access to source code or data in scope of the OSF. |
|
Security Monitoring
About the Requirement | Evidence Required |
Security monitoring practices must be implemented at the network / infrastructure, application and transaction layer. DSPs must
be able to demonstrate that they scan their environment for threats and will take appropriate action where anomalies are detected.
|
|
Supply Chain
About the Requirement | Evidence Required |
Supply chain visibility seeks to identify entities and their functional roles involved in the transmission of information, operating
to and from the system which generates the payload and the ATO. This includes providing details of any third-party connections to your
product via APIs. The functional roles within a supply chain can be defined as:
|
DSPs are required to provide the business details of the participants in the supply chain including:
DSPs with an add-on marketplace will need to provide additional information. |
Third Party Add-on Marketplaces
About the Requirement | Evidence Required |
DSPs that partner with third-party add-on providers and allow connection via an API are required to have a security standard in place
to govern these add-ons. The Security Standard for Add-on Marketplaces (SSAM) was developed as a security standard DSPs could leverage
to meet this requirement. More information about the SSAM can be found here. Under this requirement, SSPs and gateways are not considered as DSPs with add-on marketplaces. |
|