open it

Cloud products reading, storing, modifying or routing taxation, accounting, payroll, business registry or superannuation data will fall under either Category A, B or C of the Operational Security Framework (OSF)

The following requirements are mandatory for all cloud products:

Audit Logging

About the Requirement Evidence Required
Audit logging enables the traceability of access and actions within software products which can be used to detect anomalies or support the investigation of a security incident.

Logs must be kept for a minimum of 12 months and need to include:
  • Users who logged in and what
  • What a user views in a session
  • Any changes to privileges, permissions and authorisations
DSPs must provide dummy or authentic (with sensitive information redacted) access and event logs which include:
  • Authentication and authorisation
  • Date and time of the event
  • Username / identifier
  • Success or failure of the event
  • Event description
  • ICT equipment location and identification

DSPs can provide an audit log policy to support this requirement.


Authentication 

About the Requirement Evidence Required
Cloud products must have Multi-Factor Authentication (MFA) in place for all users. MFA is also required for any DSP staff with privileged user access. 

Under this requirement:
  • Shared logins are not permitted and must be blocked by DSPs
  • Remember me functionality must be limited to less than 24 hours
  • Tokens or temporary credentials should be isolated to an individual device and expire once used or within 24 hours
  • Authenticator apps can be used (e.g. Microsoft Authenticator, Symantec VIP or Google Authenticator) and DSPs need to demonstrate how MFA is enforced at login
  • User of enterprise SSO/federated logins require technical assessment and approval by the ATO

Social media credentials (Google, Microsoft, Facebook etc.) are not recommended for MFA, however, if your product is based on the use of social media credentials, you must contact the DPO. 

More information can be found at ACSC: Implementing Multi Factor Authentication

    • User description paired with screenshots of MFA workflow
    • User access controls including remember me, session time-out, brute force lockouts
    • Password or access control policy


    Certification

    About the Requirement Evidence Required
    The level of certification you are required to meet is dependent on whether your products fall under category A, B or C below. 

    More information about each of these certifications and how they apply under the OSF can be found on pages 17 - 20 of the OSF requirements document

      For independent certification DSPs must provide:

      • Completed documentation demonstrating conformance to one of the approved standards
      • Statement of Applicability
      • Letter of Compliance
      • Copy of certificate upon completion of independent certification

      When self-assessing against a certification, DSPs must provide documentation demonstrating their compliance to the chosen standard including comments on why certain controls may or may not be applicable to the organisation and how they apply.


      Category A Category B Evidence Required
      Independent certification against either:
        Independent certification or self-assessment against either:

        Independent certification or self-assessment against either:


        Data Hosting

        About the Requirement Evidence Required
        Data Hosting must be onshore by default.

        Offshore hosting arrangements, including redundant systems, are managed by exception only. Additional evidence is required for these arrangements and DSPs must consult with the ATO to ensure impacts have been addressed. 

        Where a DSP is storing data outside of Australia, they must:
        • Make it clear to customers that their data is being stored in a foreign jurisdiction
        • Apply the Australian Privacy Principles
        • Provide guidelines to your customers, where your customers use your services to collect and store data about other individuals, on where and how their data is being managed

          Provide details of your hosting provider including:

          • Provider name
          • Provider location (physical address)
          • Redundancy location (physical address)
          • Whether the provider is ASD certified or assessed against another security standard


          Encryption Key Management

          About the Requirement Evidence Required
          DSPs need to demonstrate that a policy or process is in place to govern the lifecycle management of encryption keys and minimise the risks of compromised keys. 

          The scope of the policy should cover:
          • Asymmetric/public key algorithms 
          • Hashing algorithms
          • Symmetric encryption algorithms

          As per Australian Government - Guidelines for using cryptography.

          It must also include generation, distribution, storage, renewal, revocation, recovery, archiving and destruction of encryption keys. More information can be found in attachment F of APRA Information Security CPS 234.  

              Copy of the key management policy or plan.


              Encryption at Rest

              About the Requirement Evidence Required
              DSPs must apply encryption at the disk, container, application or database level. Alternatively, DSPs may apply partial encryption to the data at the block, field or column level. Encryption at rest should follow Australian Government - Guidelines for using cryptography.

              Further controls are recommended to implement network segmentation and segregation for DSPs who have implemented encryption at rest. More information can be found at ACSC Implementation Network Segmentation and Segregation.

                  One of the below:

                  • Screenshot showing encryption enabled, confirmation of method of encryption applied and algorithm used
                  • Licensing agreement or invoice with whitepaper
                  • Policies relating to data classification when applying block, field or column encryption

                  If encryption at rest is not viable, DSPs should provide a screenshot or policy which demonstrates that all of the below have been met:

                  • User/system role-based access controls and active logging and monitoring protocols
                  • Restricting or limiting access to databases using the principle of least privilege
                  • Separation of hosts and segregation of networks or micro segmentation
                  • Intrusion prevention and detection controls


                  Encryption in Transit

                  About the Requirement Evidence Required
                  Encryption in transit must use an approved protocol, for example, TLS 1.2 or higher as per Australian Government - Guidelines of using cryptography and Annex A of ACSC Implementing Certificates, TLS and HTTPS

                      One of the following:

                      • Back-end configuration of TLS (e.g. load balancer)
                      • SSL Labs report for public certificates

                      Indirectly connecting products must provide one of the following:

                      • Licensing agreement with SSP 
                      • Screenshots from SSP portal
                      • Screenshot of API call to 3rd party showing TLS protocol


                      Entity Validation

                      About the Requirement Evidence Required
                      DSPs must implement entity validation to ensure that the consumers/users of a commercial software product are a legitimate business and have a genuine need to access a DSPs software. DSPs must verify the entity against a reliable and independent source (e.g. the Australian Business Register) and ensure they have valid contact details including a confirmed email and phone number.

                      Customers who do not have an ABN (e.g. student using software for research) are only required to validate the client contact information. 

                      This does not negate the need for DSPs to meet specific service requirements relating to verification.

                          DSPs need to provide evidence demonstrating that entity validation is in place as part of the product registration/purchase process.


                          Personnel Security

                          About the Requirement Evidence Required
                          DSPs need to demonstrate that appropriate processes and procedures are in place for hiring, managing and terminating employees and contractors. These may include but are not limited to:
                          • Identity proofing/pre-employment screening
                          • Previous employment checks
                          • Police checks
                          • Employee obligations
                          • Separation activities

                          Micro DSPs (one or two employees) are exempt from this requirement unless contractors or non-employees have access to source code or data in scope of the OSF. 

                              • Internal policy document detailing how employees maintain confidentiality of enterprise information
                              • Process descriptions detailing pre-employment screening and separation procedures
                              • Sample contracts detailing conditions of employment


                              Security Monitoring

                              About the Requirement Evidence Required
                              Security monitoring practices must be implemented at the network / infrastructure, application and transaction layer. DSPs must be able to demonstrate that they scan their environment for threats and will take appropriate action where anomalies are detected.
                                  • Screenshot of an intrusion detection system such as a firewall that generates alerts
                                  • Approach to detect anomalies or a screenshot of a security event and incident management dashboard
                                  • Intrusion prevention system which protects end points and scans the DSP environment to prevent malicious events
                                  • Policy demonstrating actions that will be taken where anomalies are detected


                                  Supply Chain

                                  About the Requirement Evidence Required
                                  Supply chain visibility seeks to identify entities and their functional roles involved in the transmission of information, operating to and from the system which generates the payload and the ATO. This includes providing details of any third-party connections to your product via APIs.

                                  The functional roles within a supply chain can be defined as:
                                  • Data collector
                                  • Data validator 
                                  • Data integrator
                                  • Data analysis and extraction
                                  • Data transformer
                                  • Data provider
                                  • Data transmitter

                                      DSPs are required to provide the business details of the participants in the supply chain including:

                                      • Entity name
                                      • ABN
                                      • Service provider role or function

                                      DSPs with an add-on marketplace will need to provide additional information.


                                      Third Party Add-on Marketplaces

                                      About the Requirement Evidence Required
                                      DSPs that partner with third-party add-on providers and allow connection via an API are required to have a security standard in place to govern these add-ons. The Security Standard for Add-on Marketplaces (SSAM) was developed as a security standard DSPs could leverage to meet this requirement. More information about the SSAM can be found here.

                                      Under this requirement, SSPs and gateways are not considered as DSPs with add-on marketplaces.
                                            • Information and details of the security standard in place for add-ons
                                            • List including the third-party developers name and a hyperlink to their product

                                            Online Forum

                                            Get involved in the discussion! Post your comments and have your say!

                                            Go To Forum

                                            Member Directory

                                            Browse through DSPANZ Members and learn more about them here.

                                            Browse List