Versions Compared

Old Version 10

changes.mady.by.user Qvalent Quickstream

Saved on

compared with

New Version Current

changes.mady.by.user Qvalent Quickstream

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Identify all system components and data flows relying on and/or supporting the vulnerable protocols.
    1. Qvalent is examining the impact on current systems relating to TLS use and determine the impact to the environment to change. This was completed by December 31 2015.  
  2. For each system component or data flow, identify the business and/or technical need for using the vulnerable protocol.
    1.  Qvalent has evaluated the impact of TLS removal on business critical systems.  It has been identified that many customer systems can only support TLSv1.0. Turning off TLSv1.0 would prevent these customers from transacting with Westpac. Customers must be given fair warning before TLSv1.0 is disabled.
    2.  Current known use is documented in the section “TLS use” above.
  3. Immediately remove or disable all instances of vulnerable protocols that do not have a supporting business or technical need.
    1. Qvalent has evaluated the systems where this can be done without adverse impact on the environment and customers.  This was completed on March 1 2016.
  4. Identify technologies to replace the vulnerable protocols and document secure configurations to be implemented
    1. This was completed by March 31 2016
  5. Document a migration project plan outlining steps and time frames for updates
    1. This document will be used to track and maintain timelines as indicated.  Progress will be reviewed monthly. Refer to here Qvalent and Westpac services disabling TLSv1.0 and TLSv1.1
  6. Implement risk reduction controls to help reduce susceptibility to known exploits until the vulnerable protocols are removed from the environment.
    1.  Additional IPS signatures have been enabled.
    2. The service provider has been instructed to take additional care with regards to identifying TLS or SSL based attacks on the organisation.
  7. Perform migrations and follow change control procedures to ensure system updates are tested and authorised.
    1. Standard Change control will be used to implement any mitigation/.
  8. Update system configuration standards as migrations to new protocols are completed.
    1. Current documentation has been updated to reflect the use of insecure protocols. 
    2. Configuration standards have been updated to prohibit new deployments of TLS 1.0 and SSL.
  9. Notify customers through the use of email and notifications on Qvalent websites that TLSv1.0 and TLSv1.1 is to be turned on the 9th of Oct 2017. Monitoring the number of customers that have viewed this notification. – Done
  10. Soft turn off of TLSv1.0 and TLSv1.1 from the 9th of Oct 2017 (Done). All applications will give an error to customers if they try and process transactions using TLSv1.0 or TLSv1.1 now.
  11. Turn off TLSv1.0 and TLSv1.1 at a network level. This is scheduled for the 1st of May 2018 (Done). PCI council is has scheduled the 30th June 2018 as the office cutoffofficial cutoff.
  12. As of 9:10am on the 2nd May (SYD Time) TLSv1.0 and TLSv1.1 has been turned off across all Qvalent applications at a network level.

3 Customer Notification

Qvalent and Westpac services disabling TLSv1.0 and TLSv1.1

...