Will the institution be notified of major changes to your environment that could impact the institution's security posture?
Explanation
At issue is whether you keep clients in the loop: institutions want assurance that you will notify them of significant changes to your environment that could affect their security posture.
In the context of security, 'major changes' typically refers to modifications such as:
- Significant infrastructure changes (moving to a new data center)
- Changes to authentication mechanisms
- Implementing new security controls or removing existing ones
- Changes to data storage locations or methods
- Major software updates that affect security functionality
- Changes to third-party service providers who handle sensitive data
This question is being asked because changes to your environment can directly impact the security of the institution's data that you process or store. For example, if you migrate to a new cloud provider without proper security controls in place, the institution's data could be at risk.
To best answer this question, you should:
- Explain your change management notification process
- Specify what types of changes trigger notifications
- Describe how notifications are delivered (email, portal, etc.)
- Mention the timeframe for notifications (immediate, within 24 hours, etc.)
- Note any differences between planned and emergency changes
If you don't have a formal notification process, it's better to acknowledge this gap and explain any plans to implement one rather than providing a misleading answer.
Example Responses
Example Response 1
Yes, we have a formal change management process that includes client notifications for major changes that could impact security We classify changes into three tiers (Minor, Significant, Major), and any Significant or Major changes that could affect client security posture trigger notifications Examples include infrastructure migrations, security control changes, authentication system updates, and changes to data processing locations For planned changes, we notify clients at least 14 days in advance via our client portal and direct email to designated security contacts For emergency changes, we send notifications as soon as possible, typically within 4 hours of implementation All notifications include the nature of the change, security implications, and any recommended client actions.
Example Response 2
Yes, our organization maintains a comprehensive change management policy that includes mandatory notification to all clients for security-impacting changes We have a dedicated Change Advisory Board that meets weekly to review all proposed changes and determine security implications For changes classified as security-relevant, we provide a minimum 30-day advance notice through multiple channels including our status page, email notifications, and in-product alerts Our notifications detail the specific changes, potential security impacts, implementation timeline, and any actions required by clients Additionally, we maintain a change calendar accessible to clients through our security portal, allowing them to view upcoming changes that might affect their environment.
Example Response 3
No, we currently do not have a formalized process for notifying clients about changes to our environment While we do implement changes using internal change management procedures, our process does not include systematic client notifications for security-impacting changes We recognize this as a gap in our security communication framework We are currently developing a client notification system that we expect to implement within the next quarter, which will include automated alerts for major infrastructure, authentication, and security control changes In the interim, we handle notifications on a case-by-case basis, typically informing clients only about the most critical changes that directly impact service availability.
Context
- Tab
- Organization
- Category
- Change Management
Related questions
- Does the system support client customizations from one release to another?
- Do you have an implemented system configuration management process (e.g.,secure "gold" images, etc.)?
- Do you have a documented change management process?
- Does your change management process minimally include authorization, impact analysis, testing, and validation before moving changes to production?
- Does your change management process verify that all required third-party libraries and dependencies are still supported with each major change?
- Do you have policy and procedure, currently implemented, managing how critical patches are applied to all systems and applications?

