Are upgrades or system changes installed during off-peak hours or in a manner that does not impact the customer?
Explanation
At issue is the timing and execution of maintenance, specifically whether upgrades and system changes happen during off-peak windows or in ways that shield customers from disruption.
In technical terms, the question wants to know if you schedule maintenance windows during times of low usage (off-peak hours) or implement changes in a way that customers can continue using the service without disruption (such as using redundant systems, blue-green deployments, or rolling updates).
This is important from a security perspective for several reasons:
- Availability is a key component of the CIA security triad (Confidentiality, Integrity, Availability)
- Poorly planned updates can lead to unexpected downtime, which may violate service level agreements (SLAs)
- Rushed implementations during peak hours increase the risk of errors that could introduce security vulnerabilities
- Proper change management demonstrates operational maturity and risk awareness
When answering this question, you should describe your organization's change management process, including:
- How you determine maintenance windows
- How you communicate planned maintenance to customers
- What technical approaches you use to minimize disruption
- How you handle emergency changes that may need to occur outside normal procedures
Example Responses
Example Response 1
Yes, our organization implements a strict change management process that ensures all planned upgrades and system changes occur during designated maintenance windows These windows are scheduled between 2:00 AM and 5:00 AM Eastern Time on Sundays, which our usage analytics have identified as the period of lowest customer activity For global customers, we maintain redundant systems in different regions and perform rolling updates to ensure continuous availability All planned maintenance is communicated to customers at least 7 days in advance through our status page, email notifications, and in-product alerts For emergency patches (such as critical security updates), we use blue-green deployment methodology to implement changes with zero downtime.
Example Response 2
Yes, our company follows a comprehensive change management process that minimizes customer impact We utilize containerized microservices architecture with Kubernetes orchestration, allowing us to perform rolling updates with no service interruption for most system changes For database schema changes or other updates requiring brief service interruption, we schedule these during our weekly maintenance window (Tuesdays, 11:00 PM to 1:00 AM Pacific Time) Customers are notified 14 days in advance through multiple channels, and our SLA excludes these pre-announced maintenance periods Additionally, we maintain a staging environment that mirrors production, allowing us to thoroughly test all changes before deployment, further reducing the risk of customer-impacting issues.
Example Response 3
No, we currently do not have a formal process for scheduling upgrades during off-peak hours Our small development team implements changes as they are ready, which sometimes occurs during business hours While we attempt to notify customers when possible, emergency security patches and bug fixes are often deployed immediately upon completion We recognize this as an area for improvement and are working to establish a more structured change management process that includes defined maintenance windows and better customer communication In the meantime, we do perform thorough testing in our development environment before pushing changes to production to minimize potential issues.
Context
- Tab
- Organization
- Category
- Change Management
Related questions
- Will the institution be notified of major changes to your environment that could impact the institution's security posture?
- Does the system support client customizations from one release to another?
- Do you have an implemented system configuration management process (e.g.,secure "gold" images, etc.)?
- Do you have a documented change management process?
- Does your change management process minimally include authorization, impact analysis, testing, and validation before moving changes to production?
- Does your change management process verify that all required third-party libraries and dependencies are still supported with each major change?

