Maintenance Windows for performing configuration tasks regarding network infrastructure, and Blackout Periods during which interruptions to network connectivity are forbidden, SHALL be established and communicated to relevant parties.
When implementing an information security program, businesses need to consider the appropriate times to implement, configure, and test new controls and technologies. Networks are extremely sensitive, so it is extremely risky to attempt changes to network infrastructure in the middle of the day when employees are performing their workflows. Even if installation guidelines are followed step by step, there are bound to be periods of trial and error. Connectivity interruptions are almost guaranteed when making major changes to networks and systems. If employees are in the middle of workflows when changes are made, the risk of corrupting data and destroying progress increases.
This is why businesses must establish maintenance windows and blackout periods. A maintenance window is a pre-scheduled time period where technology changes, updates, and tests are prioritized. This could be anything from upgrading systems to Windows 11, to installing new firewalls and wireless access points. Because maintenance windows are pre-approved, management has plenty of time to inform all employees of the window. Since network stability is not guaranteed during this time, management should recommend that employees complete all workflows before the window or simply wait until the window closes.
To plan for maintenance windows, businesses must first gather senior management, IT staff, and any third-party contractors such as MSSPs or electricians. This way, all perspectives can be heard, and the maintenance windows can be scheduled for a time that clearly works for everybody. It is a terrible practice to simply throw out random times for technology maintenance and just assume that everything will come together. Maintenance windows should be planned at least a few weeks ahead of time. Businesses may decide to undertake the defined tasks after hours, while some may prefer to work on weekends. Others may decide to cease normal operations for a week or so and implement the components all in one go. The time periods defined for maintenance windows are up to the business and the involved stakeholders.
Some software applications and systems allow administrators to define maintenance windows for the software to strictly adhere to. This is especially useful for software that is configured to update automatically. For example, Windows Update allows administrators to configure “Active Hours”, the span of time during which Windows systems are being used heavily and should not be interrupted. If employees work 9 to 5, then that window of time can be configured in the Windows OS baseline as the Active Hours. Now, Windows will wait until after 5 to perform any updates.
Maintenance windows need to be clearly communicated to all employees and other involved parties. The most common channel to communicate maintenance windows is email. Most businesses have email groups containing all employee addresses. A few days before a maintenance window, senior management should send a formal email to the group reminding them of the set time. Employees should be encouraged to finish or cease all workflows by the beginning of the maintenance window. If maintenance windows occur regularly on the same day at the same time, delivery of reminder emails can be automated.
Another communication channel is digital calendaring. Lots of businesses use platforms like Google Calendar to schedule and share events, meetings, workshops, etc. It is a good idea to schedule maintenance windows on the calendars so that employees can take note of them.
A blackout period is the opposite of a maintenance window. It is a period of time where stability and availability are crucial and should not be interrupted under any circumstances. This is usually an extended period of time where business operations are at their peak, and all or nearly all systems are required to be fully functional. Because of this, technology maintenance tasks like updates, upgrades, or device configurations are strictly prohibited.
Use as an example a bakery that expects a high degree of traffic during the weeks of Thanksgiving and Christmas. A large share of the yearly profit comes from these two weeks. All Point-of-Sale systems, network connections, cloud services, and IoT devices need to be fully operational. An infrastructure change that derails network connectivity for even a few hours could equate to a significant loss of productivity and profit.
Blackout periods are a bit trickier to define and schedule than maintenance windows. To many businesses, every day is a blackout period. However, in terms of the information security program, a blackout period should refer to a specific period where high traffic is expected, or the volume of internal workflows is expected to increase. If there are no immediately discernible candidates for blackout periods, businesses may benefit from using data analysis tools or Enterprise Resource Planning (ERP) systems to gather insights.
Communicating blackout periods usually involves the same tools as communicating maintenance windows, but with a more specific audience. Most internal employees know of these busy periods already or are indifferent since they are not required to shift any time to accommodate them. However, blackout periods should be clearly communicated to IT and maintenance staff. Using the previous example of a small bakery, management could send out a more personalized email to the IT department the week before Christmas, reminding them that the business is expected to be busy over the next week, and no major changes should occur to the business network. This reminder is especially important for businesses that use third-party IT consultants or MSSPs who may not be aware of the exact business trends.