Does the system support client customizations from one release to another?
Explanation
At issue here is whether customers can tailor the software to their needs, and whether those customizations carry forward intact when you ship new releases.
In a security assessment context, this question matters because customizations can introduce security risks if not properly managed during upgrades. When customers modify your system to meet their specific needs, these modifications could potentially break during updates, be overwritten, or create security vulnerabilities if the upgrade process doesn't properly account for them.
The question aims to understand:
- If your system allows client customizations (like custom fields, workflows, integrations, etc.)
- How these customizations are handled during version upgrades
- Whether there's a formal process to ensure customizations remain secure and functional after updates
A good answer should explain whether customizations are supported, how they're preserved during updates, what testing is done to ensure compatibility, and what documentation or guidance is provided to customers about maintaining their customizations securely across releases.
Guidance
Ensure that all relevant details pertaining to CHNG-06 are clearly stated in your response.
Example Responses
Example Response 1
Yes, our system fully supports client customizations across releases We maintain backward compatibility for our customization APIs and extension points When customers upgrade to a new release, their customizations are preserved through our migration framework that automatically adapts customizations to the new version's architecture We provide a pre-upgrade compatibility checker tool that scans existing customizations and alerts customers to any potential issues before upgrading Our release notes include a dedicated section on customization impacts, and we maintain detailed documentation on how to update customizations when necessary Additionally, we offer a sandbox environment where customers can test their customizations against upcoming releases before deploying to production.
Example Response 2
Yes, our platform supports client customizations between releases through our extension framework Customizations are implemented using our documented API and stored separately from core system files During upgrades, our system preserves these customizations by maintaining API compatibility and using a version-aware customization registry While we strive for full backward compatibility, major releases may require customization updates For these cases, we provide migration tools, detailed upgrade guides, and a minimum 60-day notice before deprecating any customization APIs Our customer success team also offers customization review services to help ensure smooth transitions between major releases.
Example Response 3
No, our system does not currently support preserving client customizations between releases Our software follows a standardized deployment model where customizations must be reimplemented after major version upgrades While customers can customize the current version through configuration options and our extension framework, these modifications are not automatically migrated during the upgrade process We recognize this limitation and provide detailed documentation on how to document current customizations and efficiently reimplement them in new versions We're currently developing a customization migration framework that we plan to include in our next major release to address this limitation.
Context
- Tab
- Organization
- Category
- Change Management
Related questions
- Will the institution be notified of major changes to your environment that could impact the institution's security posture?
- Do you have an implemented system configuration management process (e.g.,secure "gold" images, etc.)?
- Do you have a documented change management process?
- Does your change management process minimally include authorization, impact analysis, testing, and validation before moving changes to production?
- Does your change management process verify that all required third-party libraries and dependencies are still supported with each major change?
- Do you have policy and procedure, currently implemented, managing how critical patches are applied to all systems and applications?

