Operational Framework Working Group Outcomes

Operational Framework Working Group outcomes

/ UNCLASSIFIEDExternal
Issue date: / 23 November 2017 /
Venue: / Webex /
Event date: / 22 November 2017 / Start:10:30am AEDST / Finish:12:40am
Chair: / Ian Scensor and Matthew Addison / Contact phone: / 02 4923 1060 /
Attendees:
Names/section / External participants: Andrew D Smith (MYOB), Andrew Mitchell (MessageXchange), Tim Wright (Xero), Art Czernecki (Sage), Jason Zammit (Wolters Kluwer), Richard Puffe (Thompson Reuters), Karen Lay-Brew (ABSIA), Kent Griffin (eTax), Lex Edmonds (Microtax), Paul Turner (Sage), Rohan DuHeaume (Sage), Sandeep Gopalan (Impact Software), Sarah O’Brien (GNGB), Simon Hutchinson (Reckon), Simon Foster (Squirrel Street), Glen Hassleman (Free Accounting), Rick Harvey (Layer Security), Chris Matthews (Gateway Association and Transaction Exchange), Deanne Windsor (Pendragon Consulting), Andre Wynbergen (Sage), Brionny Campbell (Wolters Kluwer), Chris Denney (SuperChoice), David Field (OzEDI), Kelvin Newton (Xero), Tim Wright (Xero), Kevin Zhang (Class Super), Mike Behling (MYOB), Mike Denniss (Class Super), Chris Howard (ADP), Jack Wee (Catsoft), Ian Gibson (SuperChoice), Michael Wright (Sage), Paul Turner (Sage), Paul Siritwardana (Thompson Reuters), Amit Jain (FastTrack), Christine ? (FastTrack), Sean James (QValent)
ATO: Martin Mane, Terry Seiver, Miranda Shaw, Ty Winmill, Warwick Ragg, Este Martinez, Jo Wormald, Kylie Johnston, Leo Cheung, Matt Lewis
Outcomes
Key outcomes

• The Working Group overwhelmingly supported the four core sets of principles developed via Focus Group consultation. The Working Group understands that these principles will be reported back into the ATO decision making process including to the Security Committee and the ATO Executive.

• Nevertheless the Working Group were also clear that the proposed adoption timeframe needed more discussion and it was not yet at a point where it had support. The ATO undertook to take more advice in this paradigm and propose an amended timeframe for consideration.

Multi factor authentication

• The working group was in broad agreement of the focus group position of multifactor authentication.
• The ATO will work through the timeframes to implement multifactor authentication for cloud based DSPs
• Users of software that have access to tax or superannuation information will be require multi factor authentication
• It was requested that more clarification is provided on the immediate requirements to implement multi factor authentication – including what is expected in the plan and examples of sufficient controls
• It was requested that Operational Framework requirements for desktop/on premise software be clearly defined

Supply chain visibility and encryption

• The working group was in broad agreement of the focus group positions for both supply chain visibility and encryption
• It was noted the importance of payload encryption and its potential use across a supply chain – including for CSV files generated at source
• Question was raised on the suitability of AS4 for payload encryption, but it was noted that the focus group wanted to separate the payload from the message.

Data hosting arrangements

• The working group was in broad agreement of the position for data hosting arrangements.
• It was noted that the position paper needs to consider data stored offshore for the purpose of disaster recovery.

Certification and assessment

• The working group was in broad agreement for the focus group position of certification and assessment, noting realistic timeframes will still need to be developed.
• It was noted that Know Your Customer requirements will not be required until the Trusted Digital Identity Framework solution is available.
• It was noted that if a DSP utilises IaaS/PaaS and provides a web based service, this would be considered a cloud product – as opposed to a client utilising IaaS/PaaS, which would be considered On Premise.
• Question was raised on the requirements for DSPs that route but cannot read payload information.
• It was noted the need to develop a communication strategy for the ATO to communicate the requirements (and consequences) of the Operational Framework to both DSPs and their users.
• The updated position papers will be distributed to the working group.

Action item: 1
/ Due date:30 Nov
/ Responsibility:DPO
Updates to MFA paper:

• Users that do not have access to tax or superannuation records will not require multifactor authentication
• Provide examples of sufficient controls

Action item: 2
/ Due date:30 Nov / Responsibility: DPO
Explicitly define the requirements for desktop / on premise software
Action item: 3
/ Due date:8 Dec / Responsibility: DPO
Develop a plan for the implementation of payload encryption.
Action item: 4
/ Due date:30 Nov / Responsibility: DPO
Consider how a position for disaster recovery storage offshore and update the data hosting paper accordingly.
Action item: 5
/ Due date:8 Dec
/ Responsibility: DPO
Updates to the certification and assessment position paper:

• Clarity on Operational Framework scope, for consuming an API and how it applies in the supply chain
• Develop the requirements for DSPs that route end to end encrypted tax or superannuation information
• Consequences for not meeting the Operational Framework requirements
• Transition plan for Superannuation DSPs.
• Audit logging standards

Action item: 6
/ Due date: 30 Nov
/ Responsibility: Intermediary communications
Develop a communications plan to inform both DSPs and their users of the Operational Framework requirements.

If you have any questions or feedback please email

UNCLASSIFIED External1