CHNG-13

Can solution updates be completed without institutional involvement (i.e., technically or organizationally)?

Explanation

This question is asking whether your solution (software, service, platform, etc.) can be updated by your organization without requiring involvement from the institution (the customer). In the context of security, this question helps the institution understand their operational burden and control over changes to systems that may contain their data or integrate with their infrastructure. Updates often include security patches, bug fixes, and new features, all of which can potentially impact security posture. The institution wants to know if they need to allocate resources to participate in update processes (like scheduling downtime, performing testing, or executing update procedures), or if updates happen automatically or are fully managed by the vendor. When answering, you should be clear about: 1. Whether updates can be applied without customer involvement 2. What types of updates might require customer involvement (if any) 3. How the update process works 4. What controls are in place to ensure updates don't negatively impact the customer 5. How updates are communicated to customers This is important because it affects the institution's operational planning, risk management, and understanding of the maintenance burden associated with your solution.

Example Responses

Example Response 1

Yes, our solution updates can be completed without institutional involvement We operate a fully managed SaaS platform where all updates, including security patches, bug fixes, and feature enhancements, are deployed by our operations team through our continuous deployment pipeline Updates are typically performed during scheduled maintenance windows (Sundays, 2-4 AM EST) with zero downtime We provide advance notification of all planned updates through our customer portal and via email at least 7 days before implementation For critical security patches, we may expedite deployment but will always notify customers within 24 hours Customers can access release notes in our portal but do not need to take any action to receive updates.

Example Response 2

Partially Our solution has two update categories: (1) Backend infrastructure and security updates are managed entirely by our team without requiring institutional involvement These occur weekly during low-traffic periods with no service interruption (2) Major feature releases and database schema changes require minimal institutional coordination - typically a 1-hour maintenance window scheduled at least 14 days in advance where an institutional administrator must approve the update timing but doesn't need to perform technical actions All updates are tested in our staging environment before deployment, and we provide detailed release notes and rollback procedures for each update.

Example Response 3

No, our solution updates cannot be completed without institutional involvement Our software is deployed within the institution's infrastructure (on-premises or in their cloud environment), requiring institutional IT staff to apply updates We provide detailed update packages and documentation, but the actual implementation must be performed by the institution's technical staff This approach gives institutions complete control over their update schedule and allows for thorough testing in their specific environment before deployment We recommend quarterly updates and provide emergency security patches as needed, but the timing and implementation remain the institution's responsibility.

Context

Tab: Organization
Category: Change Management