open it

The review of the Operational Framework has now wrapped up. Most notably, the Operational Framework has a new name and acronym - the DSP Operational Security Framework or the DSP OSF.

We look forward to navigating these changes with our members and keeping the industry up to date with the framework.

If you have feedback on the draft requirements, it should be provided via Online Services for DSPs by 5pm AEST on Tuesday 27 July. Access the draft requirements and additional information here

Find a summary of the changes below. A recording and slides from a members only meeting on the OSF can be accessed by members here

Summary of Changes

The scope of the DSP OSF has been enhanced to include accounting and payroll data which provides greater clarification around who needs to meet the requirements. 

Some changes have been made to the overall OSF process including:

  • Streamlined annual review process
  • Improved security incident reporting processes including more information and how and when to report
  • Proposed knowledge hub content (Online Services for DSPs) to support understanding and completion of the OSF


Audit Logging

Clarifications have been made to this requirement including:

  • Logs must be kept for a minimum of 12 months
  • Software must enable traceability of user access and actions through audit logs (e.g. who and when logged in, what they viewed and/or changed)

General improvements were made to the supporting guidance.

Certification

ISO 27002 and ISO 27001 have been included as an option to help support smaller DSPs undertaking self certification. General improvements were made to the supporting guidance. 

Data Hosting

No changes were made to this control but improvements were made to the supporting guidance.

Encryption

All DSPs must use TLS 1.2 or higher and provide evidence of this. 

Entity Validation

DSPs are now required to validate the customer's business entity including:

  • Confirming ABN details (if applicable)
  • Collecting and verifying email address and telephone number (at a minimum)

Entity validation is to be included as part of product registration or subscription purchase and/or renewal. It is to be completed before a product connects to ATO systems. There will be a transition period of existing customers. 

Multi-factor Authentication (MFA)

All cloud environments must have MFA in place in order to access any data in scope of the DSP OSF. The remember me functionality has now been limited to 24 hours and shared logins are not permitted and need to be blocked by DSPs.

The following requirements have been clarified:

  • MFA cannot include Google/Microsoft/Facebook credentials to sign in
  • Use of the enterprise SSO/federated logins require technical assessment and approval by the ATO

General improvements have also been made to the supporting guidance.

Personnel Security

No significant changes were made to this control but general improvements have been made to the supporting guidance.

Security Monitoring

This now applies to all DSP controlled environments. Previously only those consuming medium and high risk APIs were required to have security monitoring in place. General improvements have also been made to the supporting guidance.

Supply Chain

There have been no changes made to this requirement but general improvements have been made to the supporting guidance. The review did cover payload encryption but the ATO have decided not to progress with it at this stage and it remains a future review item. 

Newsletter

Be the first to hear about the latest business software industry news, updates, and events.

Online Forum

Get involved in the discussion! Post your comments and have your say!

Go To Forum

Member Directory

Browse through DSPANZ Members and learn more about them here.

Browse List