Can solution updates be completed without institutional involvement (i.e., technically or organizationally)?
Explanation
Reviewers want to know whether you can roll out updates to your solution independently, without requiring any technical or organizational involvement from the institution.
In the context of security, this question helps the institution understand their operational burden and control over changes to systems that may contain their data or integrate with their infrastructure. Updates often include security patches, bug fixes, and new features, all of which can potentially impact security posture.
The institution wants to know if they need to allocate resources to participate in update processes (like scheduling downtime, performing testing, or executing update procedures), or if updates happen automatically or are fully managed by the vendor.
When answering, you should be clear about:
- Whether updates can be applied without customer involvement
- What types of updates might require customer involvement (if any)
- How the update process works
- What controls are in place to ensure updates don't negatively impact the customer
- How updates are communicated to customers
This is important because it affects the institution's operational planning, risk management, and understanding of the maintenance burden associated with your solution.
Example Responses
Example Response 1
Yes, our solution updates can be completed without institutional involvement We operate a fully managed SaaS platform where all updates, including security patches, bug fixes, and feature enhancements, are deployed by our operations team through our continuous deployment pipeline Updates are typically performed during scheduled maintenance windows (Sundays, 2-4 AM EST) with zero downtime We provide advance notification of all planned updates through our customer portal and via email at least 7 days before implementation For critical security patches, we may expedite deployment but will always notify customers within 24 hours Customers can access release notes in our portal but do not need to take any action to receive updates.
Example Response 2
Partially Our solution has two update categories: (1) Backend infrastructure and security updates are managed entirely by our team without requiring institutional involvement These occur weekly during low-traffic periods with no service interruption (2) Major feature releases and database schema changes require minimal institutional coordination - typically a 1-hour maintenance window scheduled at least 14 days in advance where an institutional administrator must approve the update timing but doesn't need to perform technical actions All updates are tested in our staging environment before deployment, and we provide detailed release notes and rollback procedures for each update.
Example Response 3
No, our solution updates cannot be completed without institutional involvement Our software is deployed within the institution's infrastructure (on-premises or in their cloud environment), requiring institutional IT staff to apply updates We provide detailed update packages and documentation, but the actual implementation must be performed by the institution's technical staff This approach gives institutions complete control over their update schedule and allows for thorough testing in their specific environment before deployment We recommend quarterly updates and provide emergency security patches as needed, but the timing and implementation remain the institution's responsibility.
Context
- Tab
- Organization
- Category
- Change Management
Related questions
- Will the institution be notified of major changes to your environment that could impact the institution's security posture?
- Does the system support client customizations from one release to another?
- Do you have an implemented system configuration management process (e.g.,secure "gold" images, etc.)?
- Do you have a documented change management process?
- Does your change management process minimally include authorization, impact analysis, testing, and validation before moving changes to production?
- Does your change management process verify that all required third-party libraries and dependencies are still supported with each major change?

