The continued growth of our digital wholesale services increases productivity and community connectivity across the digital ecosystem. This connectivity offers a range of service opportunities for digital service providers (DSPs), as well as presenting business risks and security implications for us and the Australian community.
The DSP Operational Framework (‘the framework’) is part of our response to these risks, establishing a set of Requirements for DSPs that ensures security and confidence to protect our clients and their data when transacting through software.
The Digital Service Provider Operational Framework Security Questionnaire (DOCX, 895KB) is used by DSPs to demonstrate how a product or service meets the requirements.
All DSPs wanting to use our digital services will need to complete the questionnaire and meet the relevant requirements which can include, but is not limited to:
- Authentication
- Encryption
- Supply chain visibility
- Certification
- Data hosting
- Personnel security
- Encryption key management
- Security monitoring practices.
The Digital Partnership Office (DPO) will support you to meet the requirements of the framework. For further information and to provide feedback contact the DPO via Online services for DSPs.
Review
The independent review of the Operational Framework which started in June has now finished. We are preparing outcomes to consult with stakeholders and industry representatives.
The process will include one working group of all members, in addition to a split of members into four smaller working groups to identify solutions and improvements dedicated to key topics. Members will be based on those who have:
- nominated through the EOI process
- advised of their EOI through emails, or
- nominated through alternate working groups.
The main findings are that the Framework is in a maturing state after three years in the making. There were nine key strengths identified and the top three being:
- The Framework has created a significant foundation for improving the security of the DSP ecosystem by encouraging the broad adoption of industry-based frameworks including ISO/IEC27001 and additional controls from the Australian Government Information Security Manual.
- The DSP lifecycle overview provides relevant and positive security guidance to assist DSPs in maintaining a secure platform during development.
- DSPs identified that the working groups facilitated by the ATO provide a commercially valuable engagement and improve quality and adoption of changes to the Framework.
The focus groups will commence in September to identify the solutions and improvements to the Framework. Participation in the focus groups is open to all DSPs and industry representatives; however, it will need to be limited in numbers with the DPO ensuring a cross section of membership is included. If you are interested in participating submit an expression of interest by 28 August. All participants will be required to actively participate and represent the software industry as a whole.
Outcomes and actions will be published on the Software Developer website, with a draft of any changes open to consultation before finalising the process. This will provide all DSPs and industry representatives the opportunity to provide feedback and recommendations. Once finalised DPO will hold an open information session to provide updates on the changes.
Background
To develop the framework, a working group contributed to establishing and finalising the scope and implementation approach.
Focus groups assisted in establishing a position on each of the five issues identified during the DSP Operational Framework interim assessment. You can access details on each below:
- Multi-factor authentication focus group
- Certification and assessment focus group
- Onshore-offshore data hosting focus group
- Supply chain and encryption focus group
- Operational Framework working group
You can also access an overview of the positions established by the focus groups.
See also: