The Security Standard for Add-on Marketplaces applies to DSPs with cloud based applications that feature an API powered third party ecosystem. This means DSPs may have to revise their processes and controls to reflect these standards.
NOTE: These standards do not apply to DSPs who do not host an API powered third party ecosystem.
What changes are DSPs required to make?
It is recommended that DSPs review the SSAM and ensure they are able to support the security requirements listed in each
What role are DSPs playing?
DSPs play a role in the regulation of third party add-ons as a part of this standard.
DSPs should, as a part of their annual certification with the ATO under the Operational Framework, provide:
- A list of the applicable third party add-on developers with more than 1,000 small business connections or a connection to tax agent/practice client list (including individuals);
- The date the self-assessment has been completed;
- Confirmation that the self-assessment has been approved by the DSP; and
- Details of any outstanding matters.
To assist in the above reporting, third party apps should provide a completed self-assessment on an annual basis.
If a third party add-on does not adequately comply with these specifications, a DSP will be required to issue them written notice giving
them 30 days to advise the treatment plan and up to a further 60 days to complete the required work.
The role of the ATO
To support a strengthened environment, the ATO will update the Security Questionnaire to understand high level details of app stores that
are provided by DSPs. The ATO will also provide a clarification in the data breach requirements, to ensure that any information incident
within a third party add-on must be reported to the ATO.
When do the standards come into effect?
The SSAM is expected to apply from:
- 1 July 2020 for connections in place as at 31 December 2019
- 1 January 2020 for all other connections