Q: Is there an operational change management/change control policy or program that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the policy? If Yes, please provide the policy and any applicable documents.
A: Yes, we utilize GitLab extensively for change control and change management. GitLab provides a comprehensive tracking system, allowing us to monitor changes line by line and review them for security before implementation.
Q: Does your organization have standard operating procedures used in the management, support, and maintenance of the products/service you are offering to us?
A: Yes, our standard operating procedures (SOPs) are documented and available on our internal GitLab wiki, accessible to all developers and support teams.
Q: Does your organization have separate environments/systems for development, testing, and production in the development, support, and maintenance of the products/services?
A: Yes, we have separate environments for different stages of development:
- Dev (internal development)
- Dev Clients (client testing)
- Production (live environment)
Q: Does your organization have regularly updated anti-malware software on all systems that are used to host, manage, and support the products/services?
A: Yes, all systems are equipped with regularly updated anti-malware software to ensure security and protection.
Q: Does your organization have a formal disaster recovery plan and conduct regular backup recovery testing?
A: Yes, we have a formal disaster recovery plan, and regular backup recovery testing is conducted. This information has been provided as an attachment via email.
Q: Is there a formal process to ensure clients are notified prior to changes being made that may impact their service? If yes, what is the communication method?
A: Yes, we have a formal client notification process for changes that may impact service. For example, when transitioning from CentOS to Ubuntu (due to CentOS reaching end of life), we followed this communication plan:
- Initial notification: Sent one month in advance
- Reminder notifications: Sent one week before and on the day of the change
- Post-change confirmation: Sent after testing to confirm everything was functioning properly
Notifications were primarily communicated through:
- Pop-up messages displayed upon login to designated users (e.g., account admins and super users)
- Email notifications (if required) to account admins
All efforts are made to minimize service disruptions, with major changes typically scheduled during off-peak hours (weekends).
Q: How are updates and patches tested before deployment in the production environment?
A: All code is tested on development servers before being deployed to production.
Q: Are application logs regularly reviewed for anomalies?
A: Yes, logs are regularly reviewed for anomalies, security breaches, and errors.
