HECVAT Category
Change Management
Change Management covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Will the institution be notified of major changes to your environment that could impact the institution's security posture?
This question is asking whether your organization has a process to notify the institution (your client) about significant changes to your environment that could affect their security.
Does the system support client customizations from one release to another?
This question is asking whether your system allows customers to make customizations to the software and whether those customizations are preserved when you release new versions of your software.
Do you have an implemented system configuration management process (e.g.,secure "gold" images, etc.)?
This question is asking whether your organization has a formalized process for managing system configurations, particularly focusing on whether you create and maintain secure baseline configurations (often called "gold images") for your systems.
Do you have a documented change management process?
This question is asking whether your organization has a formal, documented process for managing changes to your IT systems, applications, infrastructure, or other technology assets.
Does your change management process minimally include authorization, impact analysis, testing, and validation before moving changes to production?
This question is asking about your organization's change management process, which is the structured approach to making changes to your IT systems, applications, or infrastructure. Specifically, it's asking if your process includes at least four critical elements:
Does your change management process verify that all required third-party libraries and dependencies are still supported with each major change?
This question is asking whether your organization's change management process includes a specific verification step to ensure that all third-party libraries and dependencies used in your software or systems are still actively supported and maintained when you implement major changes.
Do you have policy and procedure, currently implemented, managing how critical patches are applied to all systems and applications?
This question is asking whether your organization has a formal, documented policy and procedure for managing critical security patches, and importantly, whether this policy is actually being implemented (not just written down somewhere).
Have you implemented policies and procedures that guide how security risks are mitigated until patches can be applied?
This question is asking whether your organization has formal, documented procedures for managing security risks during the period between when a vulnerability is discovered and when it can be patched.
Do clients have the option to not participate in or postpone an upgrade to a new release?
This question is asking whether your organization gives clients control over when software upgrades or new releases are applied to their environments or instances. In a security assessment context, this question evaluates the balance between keeping systems updated with security patches and respecting client operational needs.
Do you have a fully implemented solution support strategy that defines how many concurrent versions you support?
This question is asking whether your organization has a formal strategy for supporting different versions of your software or service, specifically how many concurrent versions you maintain at any given time.
Do you have a release schedule for product updates?
This question is asking whether your organization follows a structured, predictable schedule for releasing updates to your product. A release schedule is a documented timeline that outlines when software updates, patches, bug fixes, and new features will be deployed to production environments.
Do you have a technology roadmap, for at least the next two years, for enhancements and bug fixes for the solution being assessed?
This question is asking whether your organization maintains a formal technology roadmap that outlines planned enhancements, feature additions, and bug fixes for the product or service being assessed, with visibility extending at least two years into the future.
Can solution updates be completed without institutional involvement (i.e., technically or organizationally)?
This question is asking whether your solution (software, service, platform, etc.) can be updated by your organization without requiring involvement from the institution (the customer).
Are upgrades or system changes installed during off-peak hours or in a manner that does not impact the customer?
This question is asking about your organization's approach to system maintenance, specifically when and how you perform upgrades or system changes to minimize customer impact.
Do procedures exist to provide that emergency changes are documented and authorized (including after-the-fact approval)?
This question is asking whether your organization has formal procedures for handling emergency changes to your systems, with a specific focus on documentation and authorization processes.
Do you have a systems management and configuration strategy that encompasses servers, appliances, cloud services, applications, and mobile devices (company and employee owned)?
This question is asking whether your organization has a comprehensive strategy for managing and configuring all of your technology assets across your entire environment. A systems management and configuration strategy refers to the documented approach, policies, procedures, and tools used to maintain, update, and secure all technology components.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
