OSF for Desktop Products

• Users who logged in and when
• What a user views in a session
• Any changes to privileges, permissions and authorisations

• Authentication and authorisation
• Date and time of the event
• Username / identifier
• Success or failure of the event
• Event description
• ICT equipment location and identification

DSPs can provide an audit log policy to support this requirement.

• Shared logins are not permitted and must be blocked
• Remember me functionality must be limited to less than 24 hours

To strengthen authentication, the ATO recommends implementing Multi-Factor Authentication (MFA) as best practice. More information can be found here. 

If MFA is implemented:

• User description paired with screenshots of MFA workflow
• User access controls including remember me, session time-out, brute force lockouts
• Password or access control policy

DSPs that have not implemented MFA should consider implementing passphrase management, account lockout and resetting passphrase practices as described in the Australian Government - Guidelines for system hardening. 

• ISM
• ISO/IEC 27001
• ISO/IEC 27002
• ISO/IEC 27017
• SOC2
• OWASP ASVS 3.0 or later
• NIST 

More information about how each of these certifications and how they apply under the OSF can be found on pages 17 - 20 of the OSF requirements document. 

DSPs must provide documentation demonstrating their compliance to one of the approved security standards including comments on why certain controls may or may not be applicable to the organisation and how they apply. 

• Make it clear to customers that their data is being stored in a foreign jurisdiction
• Apply the Australian Privacy Principles
• Provide guidelines to your customers, where your customers use your services to collect and store data about other individuals, on where and how their data is being managed

Provide details of your hosting provider including:

• Provider name
• Provider location (physical address)
• Redundancy location (physical address)
• Where the provider is ASD certified or assessed against another security standard

Any DSP storing data offshore needs to contact the DPO. 

Copy of the key management policy or plan. 

One of the below:

• Screenshot showing encryption enabled, confirmation of method of encryption applied and algorithm used
• Licensing agreement or invoice with whitepaper 
• Policies relating to classification when applying block, field or column encryption

If encryption at rest is not viable, DSPs should provide a screenshot or policy which demonstrates that all of the below have been met:

• User/system role-based access controls and active logins and monitoring protocols
• Restricting or limiting access to database using the principle of least privilege
• Separation of hosts and segregation of networks or micro segmentation
• Intrusion prevention and detection controls

Indirectly connecting products must provide one of the following:

• Licensing agreement with SSP
• Screenshots from SSP portal
• Screenshot of API call to 3rd party showing TLS protocol

Desktop products that directly connect to the ATO are not required to provide evidence for this requirement.

DSPs need to provide evidence demonstrating that entity validation is in place as part of the product registration/purchase process.

• Identity proofing/pre-employment screening
• Previous employment checks
• Police checks
• Employee obligations
• Separation activities 

Micro DSPs (one or two employees) are exempt from this requirement unless contractors or non-employees have access to source code or data in scope of the OSF. 

• Internal policy document detailing how employees maintain confidentiality of enterprise information
• Process descriptions detailing pre-employment screening and separate procedures 
• Sample contacts detailing conditions of employments

• Screenshot of an intrusion detection system such as a firewall that generates alerts
• Approach to detect anomalies or a screenshot of a security event and incident management dashboard
• Intrusion prevention system which protects end points and scans the DSP environment to prevent malicious events
• Policy demonstrating actions that will be taken where anomalies are detected

• Data collector 
• Data validator
• Data integrator
• Data analysis and extraction
• Data transformer
• Data provider 
• Data transmitter

DSPs are required to provide the business details of the participants in the supply chain including:

• Entity name
• ABN
• Service provider role or function

DSPs that partner with third party add-on providers and allow connection via an API are required to have a security standard in place to govern these add-ons. The security standard for Add-on Marketplaces (SSAM) was developed as a security standard that DSPs could leverage to meet this requirement. More information about the SSAM can be found here.

• Information and details of the security standard in place for add-ons
• List including the third party developers name and a hyperlink to their product