This Paper Provides Key Factors Will Provide the Basis of an Assessment of Digital Service

UNCLASSIFIED
Certification and Assessment / POSITION PAPER / November 2018
Position Paper / format / DATE
Certification and Assessment
Draft Position Paper
/ For more information on this position paper, email

This paper provides key factors will provide the basis of an assessment of Digital Service Providers (DSP) that reads, modifies or routes any tax or superannuation related information.

Introduction

1. The Digital Service Provider Operational Framework is part of the ATO response in recognising and responding to risks posed by exposing web services and Application Programming Interfaces (APIs)

1. The assessment process establishes a DSPs security posture and based on acceptable levels of conformance, it will enable a DSP to consume ATO web services and APIs.

1. While certification is a key component, it is considered in partnership with a series of complementary components which comprise (or contribute to) the Operational Framework assessment process.

Key considerations

1. The information security best practice standard for the Australian government is the Information Security Manual (ISM) developed by the Australian Signals Directorate.
2. There are multiple characteristics that need to be considered in determining the security requirement or threshold that a DSP should meet:

• Service offering (eg cloud provider)
• Number of taxpayer records
• Risk characteristics of the service
• Additional controls that may mitigate or reduce risk (eg multi factor authentication)

1. The ATO’s security requirements have been framed to enable commercial innovation while enhancing the security of the digital ecosystem.
2. We recognise that the industry is subject to ongoing innovation and new business models may emerge that are not currentlyarticulated; the DSP Operational Framework is a maturity model and will continue to progressively evolve over time.

What we heard

1. Cost is a pivotal factor as it will be borne by the DSPs
2. In line with industry best practice requirements DSP certification should be reviewed annually
3. Certification requirements may:

-introduce a‘barrier to entry’ limiting innovation

-reduce the opportunity for the development of value added services to the community

1. Certification should not be bespoke for the ATO – this includes cut down versions of ISO/iRAP
2. There is concern the high volume of controls prescribed by iRAP (900+) may not be relevant to all DSPs
3. The requirements to access our services can be reviewed should an information incident occur.
4. DSPs are required to advise the ATO when their DSP circumstances have changed
5. The ATO will validate the controls within the DSP’s environment by sighting suitable evidence
6. There is a need for clear definitions on the scope of the operational framework and the parties subject to it
7. A communication campaign for clients will be required to inform and educate the community regarding the ATO’s key requirements (i.e. multifactor authentication)
8. Broad agreement was achieved in relation to the imperative behind strengthening the digital ecosystem. Improving security requirements for DSPs is a positive move towards achieving that goal

Alternatives explored

1. Two options were nominated by the group as alternatives to ISO and iRAP certification and the suitability of these have been investigated by the ATO Cyber Security branch.
2. Application Security Verification Standard (ASVS)3.0

• Strong focus on Information and IT security controls (211 in total)
• Strong correlation with ISO/IEC 27001 and ISM principles
• ASVS does not take into account personal or physical security controls
• Service Organization Control (SOC) 2

• SOC 2 performs an assessment against five key principles namely; Security; Availability; Processing Integrity; Confidentiality and Privacy
• Assessment is in line with Trust Services Criteria (TSP Section 100) developed by The American Institute of CPAs (AICPA) Assurance Services Executive Committee (ASEC), AICPA Guide, and SSAE No. 18. (USA framework/standard).

1. The two proposed alternatives were accepted by the ATO and are suitable options where DSPs are required to demonstrate self-assessment.

Conclusion

1. Certification is delineated into three key clusters:
2. Independent assessment performed by a qualified, registered assessor in line with iRAP or ISO / IEC 27001
3. Self-assessment performed by a relevant internal representative in line with ISO / IEC 27001
4. Self-assessment performed by a relevant internal representative in line with ISO / IEC 27001, ASVS3.0 or SOC2.

The requirements will vary depending on the type of software the DSP provides (desktop or cloud),the API risk ratingthe DSP is seeking to consume (no risk, low risk, medium risk or high risk) and the number of taxpayer records they provide their software to (large/high leveraged user base).

1. Key definitions

-Individual taxpayer or superannuation related information means information that has been stored for the purpose of a taxation or superannuation law and identifies, or is reasonably capable of being used to identify an individual

-Accessible means an end user has the ability to view the information readily

-Large/high leverage user basemeans:

• a DSP product or service that stores over 10,000 ‘accessible individual taxpayer or superannuation related information’ records. Records that relate to the same individual are only counted once.
• Any gateway or sending service provider

-DSP service is running in the cloud means:

• a software-as-a-service offering provided direct to end users, or
• a software-as-a-service offering to another DSP to consume as part of a supply chain

-Direct to ATO, product hosted on customer’s premise or on customer’s IaaS/PaaS Cloud means software that is loaded and stored on a client’s local computer, service (IaaS/PaaS) and/or device and transmits direct to the ATO

-Indirect to ATO, product hosted on customer’s premise or on customer’s IaaS/PaaS Cloud via gatewaymeans software that is loaded and stored on a client’s local computer, service (IaaS/PaaS) and/or device and uses a gateway or sending service provider to facilitate the transmission of a message to the ATO

1. A DSP’s certification requirements will fall into one of the following categories:

DSP’s product/service characteristics / Requirement

• Large/high leverage user base, AND
• DSP service is running in the cloud

/ Independent assessment performed by a qualified, registered assessor in line with iRAP or ISO / IEC 27001

• DSP service is running in the cloud, AND
• DSP is consuming medium and/or high risk APIs

/ Self-assessment performed by a relevant internal representative in line with ISO / IEC 27001

• All other DSP products/services

/ Self-assessment performed by a relevant internal representative in line with ISO / IEC 27001, ASVS3.0 or SOC2.

APPENDIX 1 – Certification scope

UNCLASSIFIED / PAGE1 OF 6
UNCLASSIFIED

APPENDIX 2 – Certification hierarchy

UNCLASSIFIED / PAGE1 OF 6