OSF for Cloud Products

• Users who logged in and what
• What a user views in a session
• Any changes to privileges, permissions and authorisations

• Authentication and authorisation
• Date and time of the event
• Username / identifier
• Success or failure of the event
• Event description
• ICT equipment location and identification

DSPs can provide an audit log policy to support this requirement.

• Shared logins are not permitted and must be blocked by DSPs
• Remember me functionality must be limited to less than 24 hours
• Tokens or temporary credentials should be isolated to an individual device and expire once used or within 24 hours
• Authenticator apps can be used (e.g. Microsoft Authenticator, Symantec VIP or Google Authenticator) and DSPs need to demonstrate how MFA is enforced at login
• User of enterprise SSO/federated logins require technical assessment and approval by the ATO

Social media credentials (Google, Microsoft, Facebook etc.) are not recommended for MFA, however, if your product is based on the use of social media credentials, you must contact the DPO. 

More information can be found at ACSC: Implementing Multi Factor Authentication. 

• User description paired with screenshots of MFA workflow
• User access controls including remember me, session time-out, brute force lockouts
• Password or access control policy

For independent certification DSPs must provide:

• Completed documentation demonstrating conformance to one of the approved standards
• Statement of Applicability
• Letter of Compliance
• Copy of certificate upon completion of independent certification

When self-assessing against a certification, DSPs must provide documentation demonstrating their compliance to the chosen standard including comments on why certain controls may or may not be applicable to the organisation and how they apply.

• iRAP (ISM)
• ISO/IEC 27001

• ISM
• ISO/IEC 27001
• ISO/IEC 27002
• ISO/IEC 27017
• NIST

Independent certification or self-assessment against either:

• ISM
• ISO/IEC 27001
• ISO/IEC 27002
• ISO/IEC 27017
• SOC2
• OWASP ASVS 3.0 or later
• NIST

• Make it clear to customers that their data is being stored in a foreign jurisdiction
• Apply the Australian Privacy Principles
• Provide guidelines to your customers, where your customers use your services to collect and store data about other individuals, on where and how their data is being managed

Provide details of your hosting provider including:

• Provider name
• Provider location (physical address)
• Redundancy location (physical address)
• Whether the provider is ASD certified or assessed against another security standard

• Asymmetric/public key algorithms 
• Hashing algorithms
• Symmetric encryption algorithms

As per Australian Government - Guidelines for using cryptography.

It must also include generation, distribution, storage, renewal, revocation, recovery, archiving and destruction of encryption keys. More information can be found in attachment F of APRA Information Security CPS 234.  

Copy of the key management policy or plan.

One of the below:

• Screenshot showing encryption enabled, confirmation of method of encryption applied and algorithm used
• Licensing agreement or invoice with whitepaper
• Policies relating to data classification when applying block, field or column encryption

If encryption at rest is not viable, DSPs should provide a screenshot or policy which demonstrates that all of the below have been met:

• User/system role-based access controls and active logging and monitoring protocols
• Restricting or limiting access to databases using the principle of least privilege
• Separation of hosts and segregation of networks or micro segmentation
• Intrusion prevention and detection controls

One of the following:

• Back-end configuration of TLS (e.g. load balancer)
• SSL Labs report for public certificates

Indirectly connecting products must provide one of the following:

• Licensing agreement with SSP 
• Screenshots from SSP portal
• Screenshot of API call to 3rd party showing TLS protocol

DSPs need to provide evidence demonstrating that entity validation is in place as part of the product registration/purchase process.

• Identity proofing/pre-employment screening
• Previous employment checks
• Police checks
• Employee obligations
• Separation activities

Micro DSPs (one or two employees) are exempt from this requirement unless contractors or non-employees have access to source code or data in scope of the OSF. 

• Internal policy document detailing how employees maintain confidentiality of enterprise information
• Process descriptions detailing pre-employment screening and separation procedures
• Sample contracts detailing conditions of employment

• Screenshot of an intrusion detection system such as a firewall that generates alerts
• Approach to detect anomalies or a screenshot of a security event and incident management dashboard
• Intrusion prevention system which protects end points and scans the DSP environment to prevent malicious events
• Policy demonstrating actions that will be taken where anomalies are detected

• Data collector
• Data validator 
• Data integrator
• Data analysis and extraction
• Data transformer
• Data provider
• Data transmitter

DSPs are required to provide the business details of the participants in the supply chain including:

• Entity name
• ABN
• Service provider role or function

DSPs with an add-on marketplace will need to provide additional information.

• Information and details of the security standard in place for add-ons
• List including the third-party developers name and a hyperlink to their product