|Accessible||Information that is readily available and easily obtained by the end user.|
|ACSC||Australian Cyber Security Centre (ACSC) leads the Australian Government’s efforts to improve cyber security. Their role is to help make Australia the most secure place to connect online. The ACSC produces the Australian Government Information Security Manual (ISM).|
|Add-on marketplace||API interfaces that are offered by a DSP, for use by other third-party software developers to provide additional value add services to end customers.|
API (Application programming interface)
|An API is a set of subroutine definitions, protocols, and tools for building application software. Is a software intermediary that allows two applications to talk to each other.|
ASVS 3.0 (Application Security Verification Standard)
|A framework of security requirements and controls that focus on normalising the functional and non-functional security controls required when designing, developing, and testing modern web applications.|
The process of documenting activity within the software systems used across an organization.
Audit logs record the occurrence of an event, the time at which it occurred, the responsible user or service, and other items.
|Authentication (Multi-Factor Authentication)||
Authentication is the process of determining whether someone or something is, in fact, who or what it says it is. Authentication technology provides access control for systems by checking to see if a user's credentials match the credentials in a database of authorized users or in a data authentication server.
ATO considers Authentication access controls as a minimum for Client Controlled software.
Multi Factor Authentication (MFA) is a method to authenticate an individual using 2 or more authentication factors to verify their identity, when they log into software.
ATO considers MFA as a minimum for DSP controlled Cloud based software.
|ATO||Australian Taxation Office|
|ATO wholesale services||Are services that are provided through the SBR Channel, the ATO API Portal, or other ATO channels.|
|Biometrics||Allows a person to be identified and authenticated based on recognizable and verifiable data through unique biological characteristics.|
|Brute Force Lockout||
A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works.
A brute force lockout event occurs after a specified number of incorrect attempts. ATO standard is 5 incorrect attempts.
|Certification - Self & Independent||
Independent certification seeks to provide the ATO with a level of assurance a DSP has robust security practices in place across the organisation. (iRAP or ISO/IEC 27001 standards)
Self-assessment requirement seeks to provide ATO with a level of assurance a DSP will have robust security practices in place across the organisation. (iRAP, ISO/IEC 27001, ISO/IEC 27002, SOC2, OWASP ASVS 3.0 or later, NIST)
|CISA||Cybersecurity and Infrastructure Security Agency|
|Ciphers||The formulas used to encode (encrypt) and decode (decrypt) messages are called encryption algorithms, or ciphers.|
|Ciphertext||Encrypted data is called ciphertext. unencrypted data is also known as plaintext.|
|Client Controlled||Software that is loaded and stored on a client’s local computer, or server, and transmits to the ATO.|
|Cloud software||Software that is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. It is usually managed remotely.|
|Commercial software||Software which is produced for the purpose of on selling.|
|CVE||CVE (Common Vulnerabilities and Exposures) provides a method for publicly sharing information on cybersecurity vulnerabilities and exposures.|
|Cryptography||The science of encrypting and decrypting information. It provides for secure communication in the presence of malicious third parties - known as adversaries. Encryption uses an algorithm and a key to transform an input (i.e. plaintext) into an encrypted output (i.e. ciphertext).|
|Data hosting||Is the act of storing the data on a stable and accessible web platform. By default, a DSP should host data onshore.|
|Data at rest||Data that is not actively moving from device to device or network to network such as data stored on a hard drive, laptop, or flash drive.|
|Data breach||A data breach is an unauthorised access or disclosure of personal information, or loss of personal information. Data breaches may be caused by malicious action, human error, or a failure in information handling systems.|
|Data in transit||Data that is actively moving from one location to another: for instance, device to device or network to network.|
|De-whitelisting||The process of preventing the ability to transact with ATO production services.|
DSP (Digital service provider)
|Are software developers that produce digital systems that perform services through the SBR, including APIs for tax & business accounting, payroll, super and business registration.|
|Direct connecting||Software transmits direct to the ATO via ebms3 / AS4 protocol.|
|ebMS3||The ebMS3 AS4 messaging capability is the protocol Digital Service Providers are required to build into their software to directly connect to the ATO through the Standard Business Reporting (SBR) digital channel.|
|Encryption||The process of converting information or data into a code, especially to prevent unauthorized access.|
|Encryption key management||Lifecycle management of encryption keys protecting them from theft, loss, or misuse. The aim is to minimise the risks of compromised keys.|
|Encryption at rest||
Is designed to prevent an attacker from accessing the unencrypted data by ensuring the data is encrypted when on disk.
If an attacker obtains a hard drive with encrypted data but not the encryption keys, the attacker must defeat the encryption to read the data.
|Encryption in transit||
Is when the encrypted data is active, moving between devices and networks such as the internet, within a company, or being uploaded in the cloud.
ATO has minimum standards for protocols allowable.
|Entity validation||Entity Validation is the OSF requirement, based upon “Know Your Customer” principles and is the mandatory process of identifying and verifying the client's identity. In the case of DSP’s customers, the entity and contact details need to be validated.|
|Essential 8||A recommended baseline of eight (8) essential mitigation strategies from ACSC to protect against all cyber threats.|
External Vendor Testing Environment.
DSPs build and test services to be able move into production.
Data exfiltration is the theft or unauthorized removal or movement of any data from a device.
This typically involves stealing data from devices through various cyberattack methods.
|Highly leveraged volumes||A DSP product or service that stores over 10,000 ‘accessible individual taxpayer or superannuation related information’ records. Records that relate to the same individual are only counted once.|
|Hybrid model||An operating model which uses a combination of software types and connections.|
|Inactive Session Timeout||
Represents the amount of time a user can be inactive before the user's session access times out and implements a screen lock. An access event, like SSO would be required to re-open the session.
It is not a session termination, only a screen lock – the session can continue running in the background.
Software transmits indirectly to the ATO, usually by a Gateway or SSP (Sending Service Provider).
Are digital service providers (DSPs), which enable other DSPs to transmit data to the ATO via the ATO SBR ebMS3 messaging standard.
ISM (Information Security Manual)
|The Australian Cyber Security Centre (ACSC) produces the Australian Government Information Security Manual (ISM The purpose of the ISM is to outline a cyber security framework that an organisation can apply, using their risk management framework, to protect their systems and data from cyber threats.|
|ISMS (Information Security Management System)||Is a set of policies and procedures for systematically managing an organization's sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by proactively limiting the impact of a security breach.|
|ISM approved cryptographic algorithms||Algorithms which have been extensively scrutinised by industry and academic communities in a practical and theoretical setting and have not been found to be susceptible to any feasible attack.|
IRAP (The Information Security Registered Assessors Program)
|Is governed and administered by the Australian Cyber Security Centre (ACSC). IRAP provides the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to the Australian Government.|
|In-house developed product||A product which has been developed for exclusive use by the organisation to manage their own payroll and other affairs; the product cannot be sold to other organisations.|
|ISO||ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.|
The ISO/IEC 27000 family of standards enables companies and organisations to establish IT security, cybersecurity, and privacy protection.
ISO 27000 outlines the security techniques necessary to properly safeguard customer data.
ISO 27001 is where those principles meet the real world.
Businesses implement the requirements outlined in ISO 27000 standards and verify the effectiveness of their ISMS through an ISO 27001 audit.
ISO 27002 gives guidance on implementing an ISO 27001 ISMS.
ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services.
|myGovID||myGovID is a Digital Identity app that lets you prove who you are when accessing government online services.|
|NSA||National Security Agency|
|NIST (National Institute of Standards and Technology)||NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies, and the broader public.|
|No Shared Logins||
Different people using the same credential, that is shared. This is not permitted.
If it is the same person logging into multiple devices at the same time, it’s concurrent logins and is acceptable.
|OWASP (Open Web Application Security Project)||Is a non-profit foundation that works to improve the security of software. The OWASP Foundation is the source for developers and technologists to secure the web.|
|Payroll information||Payroll information is data used for reporting payroll information to the ATO.|
|Personnel Security||A set of measures to manage the risk of an employee exploiting their legitimate access to an organization’s facilities, assets, systems or people for illicit gain, or to cause harm.|
|PII (Personally Identifying Information)||Any type of data that can be used to identify someone, from their name and address to their phone number, or even passport information.|
|Privileged user||A user who can alter or circumvent a system’s security measures – this may include the capability to modify system configurations, account privileges, audit logs, data files or applications.|
|PSPF (Protective Security Policy Framework)||The Protective Security Policy Framework (PSPF) assists Australian Government entities to protect their people, information, and assets, both at home and overseas. (https://www.protectivesecurity.gov.au/)|
After a user login, the user will have access from the same machine to all its data even after the session has expired. This access will be possible until user does a logout.
The ATO’s requirement is to limit this functionality to less than 24 hours (meaning that a users’ access to the system would occur each day).
|Requirement (mandatory)||Requirement must be in place (or actively being worked towards implementation) before ATO services can be used in production.|
|Requirement (optional)||Requirement does not have to be in place to access ATO services in production, but it is a recommendation for increased security.|
|SBR site||Standard Business Reporting (SBR) website provides access to information about SBR, how to participate, along with developer tools, guides, and support details. The primary audience is software developers|
|Security monitoring||The automated process of collecting and analysing indicators of potential security threats and then triaging those threats with appropriate action.|
|SSO (Single Sign-on)||SSO is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True SSO allows the user to log in once and access services without re-entering authentication information.|
SSP (Sending service provider)
|A DSP that facilitates the transfer of STP compliant electronic data messages via ebms3 protocol.|
SOC2 (Service Organization Control 2)
|An audit report which covers operational control systems, with criteria around security, availability, process integrity, privacy, and confidentiality.|
|SSAM (Security Standard for Add-on Marketplaces)||An extension of the ATO's Operational Framework and is intended to provide guidance for cloud based third party add-ons who integrate via API with Digital Service Providers (DSPs).|
|SSL Labs (Secure Socket Layer Labs)||This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet.|
|Supply Chain Visibility||
Seeks to identify entities and their functional roles involved in the transmission of information, operating to and from the system which generates the payload, and the ATO.
This includes providing details of any third-party connections to a DSP product via APIs.
|Third Party Add-On Marketplaces||
Seeks to identify security controls and policies DSPs need to implement, when partnering with third-party add-on providers and allow connection via an API.
ATO defines and ‘Add-on marketplace’ as an API that is offered by a DSP for use by other third-party software developers to provide additional value-added services to end customers.
|Taxonomy diagram||Provides a high-level overview of the network architecture, network elements and data flows between the DSP Product/s and ATO.|
|Token or temporary credentials||This should be limited to a device and expire within 24 hours.|
|Whitelisting||The process of gaining access to transact with ATO production services.|