VENDOR FAQ: WHAT TO EXPECT FROM A CORL ASSESSMENT
CORL is committed to partnership and collaboration with vendors and organizations servicing our customers. Our workflows and communication processes are designed to drive efficiency and reduce costs on all sides of the security assessment process.
We maintain strategic partnerships with vendors and invest in collaboration to reduce overall security risk and drive efficiencies for all parties in the vendor risk management lifecycle.
CORL’s Vendor Honor Roll program promotes and celebrates organizations that invest in information security protections to safeguard the sensitive information they maintain on behalf of their customers.
FREQUENTLY ASKED QUESTIONS (FAQs)
The following information provides insights and Frequently Asked Questions for vendors that engage with CORL to support our mutual customer’s vendor risk management program objectives.
Who is CORL Technologies?
CORL Technologies provides vendor security assessment services as an extension of our client’s internal resources as a managed service. We work closely with our clients to prioritize and streamline the assessment process and recommend risk mitigation strategies to lower vendor risk.
What data does CORL collect?
CORL collects information to help clients understand vendor protections in alignment with regulatory and internal security requirements. The assessment tools request information on policies, procedures, access controls, maintenance and vulnerability processes, to name a few. This data is used to understand your security compared to regulatory privacy and security requirements and industry best practice.
Is my organization’s data accessible to your other clients?
No. CORL assessments are designed to meet individual client needs. If another client requests an assessment, CORL will send a new questionnaire and/or ask if you would like to reuse an assessment that your provided to another client. The decision to reuse is completely up to your discretion, and CORL will only share information upon your explicit approval. By providing approval, we can share your information with other clients you request to assess your company by pre-populated, previously answered questions that you would then validate [see Data Reuse Program below].
What is the Data Reuse Program and how do we participate?
Each year, CORL conducts thousands of vendor risk assessments on behalf of our clients. We recognize that information security resources are frequently overtaxed, and vendors must often balance the cost of responding to questionnaires with customers’ requirements for due diligence and oversight.
Answering a security questionnaire can take a significant amount of time for scarce information security and IT resources. As a result, CORL offers an assessment Data Reuse Program to help vendors respond quickly to assessments, supporting prompt assessment turnaround times for your business.
CORL’s Assessment Data Reuse Program is designed to leverage previous questionnaire responses for new client assessment requests. The process is straightforward and includes the following steps:
- Vendor to complete an Initial Vendor Profile Questionnaire (IVPQ, approximately 25 questions)
- CORL will compare information on hand against scope information provided in the IVPQ
- If information is a match, CORL will obtain approval from the vendor to reuse the data
- A report using previous responses along with client-specific questions is sent to the vendor for review and update as necessary
- CORL will also leverage evidence (less than one year old or certifications that are still valid) previously provided by the vendor
- If prior evidence validation occurred via screen share, CORL will reperform the validation
Many clients and vendors find that data reuse significantly cuts down on turn-around times and minimizes sales and implementation delays.
We provide a quality assessment in an expedited timeframe, while reducing the assessment fatigue that many vendors experience. If you would like further information on this process, please do not hesitate to speak with your CORL Client Engagement Associate.
Does CORL publish the results of my assessment?
CORL does not publish the results of your assessment. The results and identified gaps are shared only with the CORL client who requested the assessment and with whom you have an existing or pending business relationship. CORL does publish a Vendor Honor Roll to highlight vendors who are open to collaboration in communication, assessment response and remediation efforts. Honor Roll selection is not based on security posture or assessment results.
Will CORL sign a Non-disclosure Agreement (NDA) with us?
CORL is happy to sign an NDA if requested. We have a standard agreement that we provide if you wish to have an NDA in place prior to sharing data.
Is my data held securely?
Yes. We have a contractual obligation to our clients to secure the information that you provide in response to this assessment. Vendor information is stored on CORL's secure servers located within the United States. Procedural and technical safeguards deployed at CORL include industry best practices and have been validated for SOC 2 Type 2 controls.
Will CORL need access to my systems or client data?
No. CORL bases vendor security assessments on the information shared directly by you. There is no requirement for CORL to directly access your system or to review client data that may be housed with your organization.
Is my data shared with your client?
Data collected to assess a vendor’s security posture is collected for our client and used in assessing risk and determining risk remediation recommendations. The detailed data collected during that process may be shared or discussed with the client as needed to provide clarification of an identified deficiency or remediation recommendation.
What does it mean if I am asked to remediate control gaps?
You may be asked to remediate deficiencies or gaps identified during the assessment. The identified deficiencies are sent to you to provide information on compensating controls, a timeline for remediation, or the decision that your organization will not remediate the item. Compensating controls will be evaluated to determine if they lower the control risk to an acceptable level (as determined by the customer) and timelines/non-remediation decisions will be reviewed with the customer. If you provide a timeline for remediation, CORL will follow up with you to validate that the deficiency was corrected.
I sleep well at night knowing that we are not only compliant, but secure. I would give our security posture a year ago about a D to now an A+, and I think any assessor would be more than satisfied with what they see here now. I can only imagine the time and resources we would have to expend internally to do what your team at CORL does.
CORL is exceptionally valuable for an insanely great price point. Thinking about the work effort alone, I would have to double my team or lose my mind. I would need another 4- or 5-person team to manage the ~980 vendor relationships.
CORL is a ‘force multiplier’ for our InfoSec Program. It is not possible for us to accomplish at this level, with this amount of efficiency, on our own. Even if we had an FTE... It would take a year or more, where CORL can do it in a month. We cannot reproduce this in-house.