The review of the Operational Framework has now wrapped up. Most notably, the Operational Framework has a new name and acronym - the
DSP Operational Security Framework or the DSP OSF.
We look forward to navigating these changes with our members and keeping the industry up to date with the framework.
If you have feedback on the draft requirements, it should be provided via Online Services for DSPs by 5pm AEST on Tuesday
27 July. Access
the draft requirements and additional information here.
Find a summary of the changes below. A recording and slides from a members only meeting on the OSF can be accessed by members here.
Summary of Changes
The scope of the DSP OSF has been enhanced to include accounting and payroll data which provides greater clarification around who needs to meet the requirements.
Some changes have been made to the overall OSF process including:
- Streamlined annual review process
- Improved security incident reporting processes including more information and how and when to report
- Proposed knowledge hub content (Online Services for DSPs) to support understanding and completion of the OSF
Audit Logging
Clarifications have been made to this requirement including:
- Logs must be kept for a minimum of 12 months
- Software must enable traceability of user access and actions through audit logs (e.g. who and when logged in, what they viewed and/or changed)
General improvements were made to the supporting guidance.
Certification
ISO 27002 and ISO 27001 have been included as an option to help support smaller DSPs undertaking self certification. General improvements
were made to the supporting guidance.
Data Hosting
No changes were made to this control but improvements were made to the supporting guidance.
Encryption
All DSPs must use TLS 1.2 or higher and provide evidence of this.
Entity Validation
DSPs are now required to validate the customer's business entity including:
- Confirming ABN details (if applicable)
- Collecting and verifying email address and telephone number (at a minimum)
Entity validation is to be included as part of product registration or subscription purchase and/or renewal. It is to be completed
before a product connects to ATO systems. There will be a transition period of existing customers.
Multi-factor Authentication (MFA)
All cloud environments must have MFA in place in order to access any data in scope of the DSP OSF. The remember me functionality has now
been limited to 24 hours and shared logins are not permitted and need to be blocked by DSPs.
The following requirements have been clarified:
- MFA cannot include Google/Microsoft/Facebook credentials to sign in
- Use of the enterprise SSO/federated logins require technical assessment and approval by the ATO
General improvements have also been made to the supporting guidance.
Personnel Security
No significant changes were made to this control but general improvements have been made to the supporting guidance.
Security Monitoring
This now applies to all DSP controlled environments. Previously only those consuming medium and high risk APIs were required to have
security monitoring in place. General improvements have also been made to the supporting guidance.
Supply Chain
There have been no changes made to this requirement but general improvements have been made to the supporting guidance. The review did cover payload encryption but the ATO have decided not to progress with it at this stage and it remains a future review item.