Explaining CORL’s Processes to Vendors

CORL provides a unique and innovative model for managing third-party risk. However, there are wide range of vendor assessment technologies and solutions on the market including cyber risk scoring tools, GRCs, automated questionnaires, vendor exchanges, and more.

This diversity of solutions has generated confusion for some vendors that are trying figure out how and where CORL fits into the picture with supporting your vendor risk program.

I would like to share some key talking points to help CORL customers have constructive conversations with vendors to drive transparency and efficiency in the due diligence process.

CORL is an Extension of Our Team

• CORL is a sub-contractor of our organization and is engaged as an agent and extension to our security and third-party risk team
• CORL gathers information on behalf of our team to assist us with our specific risk management, regulatory, and contractual obligations
• There is no “standard” CORL assessment; the assessment questionnaires and risk ratings represent our organization’s specific needs and risk tolerance model
• When CORL reaches out for an assessment, they are reaching out on behalf of our team and our organization

Our Regulatory & Contractual Responsibilities

• We have a regulatory responsibility to assess and manage the risk to a breach of data wherever it is created, received, maintained, or transmitted
• We further have a responsibility to implement reasonable and appropriate safeguards for the confidentiality, availability and integrity of the information used to provide services to our patients and to manage the risk of a breach
• Since you handle our data, we perform assessments to gain assurance regarding the safeguards you have implemented to protect this data and implement a risk management plan to mitigate any identified risks
• CORL helps us to gather the information necessary to maintain compliance with regulations and track and report corrective actions where appropriate

Your Data is Kept Confidential

• All information gathered for our assessments is confidential and is not shared with any other organization or CORL client
• CORL is not a Vendor Risk Exchange; they will not share your information with any other clients without your approval
• CORL has signed a legal agreement with our organization which includes provisions to keep all information collected on our behalf confidential
• Once an assessment is completed, CORL stores the data for ongoing reporting and support of our risk management program
• CORL keeps and monitors the status of the assessment for risk trending and also archives reports for future inquiry
• CORL has signed NDAs with many of the country’s leading vendors and is glad to do so with you where appropriate or desired by your legal counsel
• Your data is stored securely in CORL’s servers in the United States; CORL maintains a SOC 2 Type 2 certified program that validates their security processes

CORL’s Commitment to Collaboration with Vendors

• CORL makes significant investments in people and processes to improve engagement with vendors with no additional fees or revenue from their clients
• CORL has a dedicated leader with over 20 years industry experience that is assigned to vendor relationship management
• CORL maintains strategic partnerships with key vendors and solicits routine feedback from vendors
• CORL invests in collaboration with vendors to reduce overall security risk and drive efficiencies for all parties in the vendor risk management lifecycle

Driving Efficiencies by Reducing Assessment Time and Costs

• CORL’s workflows and communication processes are designed to drive efficiency and reduce costs on all sides of the security assessment process
• CORL offers a vendor Data Reuse Program that leverages previous questionnaire responses for new customer assessments
• The vendor Data Reuse Program is completely voluntary and is offered to vendors for their convenience and to ease the burden of the assessment process
• You control your data: if you participate in the Data Reuse Program, then you will have the option to explicitly approve the reuse of your data for new customer assessments
• Click here to learn more about CORL’s Data Reuse Program and CORL’s Vendor FAQ.

We are committed to driving transparency and efficiency through collaboration and partnership with all parties involved in the vendor risk management lifecycle. These talking points can help you to clarify our intent and processes to support meaningful partnership and communication with the essential vendors that support your business.

RELATED INFOGRAPHICS:

• Explaining CORL’s Processes to Vendors
• CORL is Committed to Partnership and Collaboration with Vendors