The Digital Service Provider (DSP) Operational Security Framework (OSF) seeks to protect Taxation, Accounting, Payroll and Superannuation related data and the integrity of the Taxation, Business Registry and Superannuation systems that support the Australian community. This is achieved by setting out a minimum level of security requirements a DSP needs to meet in order to access ATO Digital Services that perform a functional role in the supply chain. The DSP OSF has been established to respond to business risks and security threats presented by the continual expansion and growth of digital services across the ecosystem.
The DSP OSF is a response to known examples of:
- Information misuse: including identity theft, personal gain or commercial advantage.
- Financial system misuse: including tax refund fraud.
- Destructive cyber behaviour: including individual or system hacks.
DSPs wanting to use ATOs digital services are required to complete and submit a DSP OSF Security Questionnaire (DOCX, 804KB). The questionnaire requires evidence of the following:
- Audit Logging
- Authentication
- Certification
- Data hosting
- Encryption Key Management
- Encryption at Rest
- Encryption in Transit
- Entity Validation
- Personnel security
- Security Monitoring
- Supply Chain
- Third Party Add-On
The Digital Partnership Office (DPO) can guide you through completing questionnaire and understanding the requirements. Should you have any questions please contact DPO via Online Services for DSPs (OS4DSP).
See also
- DSP Operational Security Framework Requirements for ATO Digital Services (PDF, 559KB)
- Digital Service Provider Operational Framework Security Questionnaire (DOCX, 804KB)
- Australian Cyber Security Centre
- API risk ratings
- Australian Prudential Regulation Authority
- Essential 8
- Information Security Manual
- ISO standards
- NIST
- OIAC Breach Notification
- Online Services for DSPs
- OWASP
- Security Standard for Add-on Marketplaces (SSAM)
- SOC2
- SSL Labs
- Using Our Services