Following the first review of the Security Standard for Add-on Marketplaces or SSAM, we worked to produce a report covering the history
of the SSAM and the results of the review. This report can be accessed below.
About the 2021 SSAM Review
Over August and September 2021, DSPANZ held three workshops with industry and government stakeholders to review the SSAM. The
review addressed the recently released version 6 of the Digital Service Provider (DSP) Operational Security Framework (OSF) and whether
technical uplifts were required for the SSAM requirements. It also looked at similar security standards such as the
Operational Framework for Trans-Tasman eInvoicing and Schedule 2 under the Consumer Data Right (CDR).
It was agreed that the requirements around encryption key management and encryption in transit would be uplifted in line with the OSF requirements. Two new requirements were added to the SSAM:
- Entity validation - if connected via API, applications can inherit or rely upon the entity validation already performed by the DSP. There is also a recommendation to collect and validate email addresses and phone numbers from users.
- Web application firewalls - applications must use a web application firewall.
There was also interest from the add-on developers to see optional operational controls added to the SSAM. The following set of optional controls, reflecting existing ISO 27001 requirements, will be added to the SSAM for those looking to meet them. To assist with this, DSPANZ will be creating template self attestation documents for add-on developers to utilise.
- Information security awareness, education and training
- Operational procedures and responsibility
- Personnel security
- Physical and environmental security
- System access control
- System acquisition, development and maintenance
The review also identified a number of areas where DSPANZ can help to clarify information on the security requirements and better
support both DSPs and add-on developers / API consumers with understanding the SSAM.
The Updated SSAM
A copy of the revised standard will be made available in early 2022. The SSAM review group will look to meet one more time in early 2022 to review the updated documentation before it is officially published.