How is Belastingdienst filetransfer secured?

Verification of the security

Security and reliability of Belastingdienst filetransfer is of high importance. To warant the security, the Dutch Tax and Customs Administration has taken the following measures.

  • An independent organisation perfomed the attack-, penetration- and configuration tests. This Third Party Memo describes the judgement of the company which performed the test.
  • The security of the infrastrucure of the Dutch Tax and Customs Administration is according to the "BIR (Baseline Informatiebeveiliging Rijksdienst").
  • Application security measures:
    • Https transport for the webapplication.
    • When using IBM Aspera Connect, inside of the https transport, the files are encrypted as described in this document Aspera FASP Security model.
    • When using IBM Aspera Connect, you can optionally secure the files with a password using "encryption-at-rest", after which only sender and receiver can access the contents of the files.
  • The Dutch Tax and Customs Administration Security Operations Center continuously monitors Belastingdienst filetransfer.

Software

Belastingdienst filetransfer is based on the IBM product IBM Aspera. Information about security measures during development of software can be found on the following pages "IBM Security in Development". This describes the IBM Secure engineering Practices, the Product Security Vulnerabilities and how IBM operates in case of security vulnerability reports.

Logging & tracking:

The Dutch Tax and Customs Administration logs the following user information when you use Belastingdienst filetransfer:

  • sender e-mailaddress
  • receiver e-mailaddress
  • filename(s)
  • timestamp of upload
  • timestamp of download
  • number of downloads
  • Ip-address download
  • Ip-address upload

The Dutch Tax and Customs Administration uses this information when:

  • troubleshooting (technical) issues;
  • creating statistics and usage reports;
  • conducting forensic research in case of suspicion of malpractice.

If you suspect malpractice, security vulnerabilities or other security/privacy related issues, check your options on the page "Malpractise and security issues. What do I need to do?".