VENDOR FAQ: WHAT TO EXPECT FROM A CORL ASSESSMENT

CORL Technologies provides vendor security assessment services as an extension of our client’s internal resources as a managed service. We work closely with our clients to prioritize and streamline the assessment process and recommend risk mitigation strategies to lower vendor risk.

CORL collects information to help clients understand vendor protections in alignment with regulatory and internal security requirements. The assessment tools request information on policies, procedures, access controls, maintenance and vulnerability processes, to name a few. This data is used to understand your security compared to regulatory privacy and security requirements and industry best practice.

No. CORL assessments are designed to meet individual client needs. If another client requests an assessment, CORL will send a new questionnaire and/or ask if you would like to reuse an assessment that your provided to another client. The decision to reuse is completely up to your discretion, and CORL will only share information upon your explicit approval. By providing approval, we can share your information with other clients you request to assess your company by pre-populated, previously answered questions that you would then validate [see Data Reuse Program below]. 

Each year, CORL conducts thousands of vendor risk assessments on behalf of our clients. We recognize that information security resources are frequently overtaxed, and vendors must often balance the cost of responding to questionnaires with customers’ requirements for due diligence and oversight.

Answering a security questionnaire can take a significant amount of time for scarce information security and IT resources. As a result, CORL offers an assessment Data Reuse Program to help vendors respond quickly to assessments, supporting prompt assessment turnaround times for your business.

CORL’s Assessment Data Reuse Program is designed to leverage previous questionnaire responses for new client assessment requests. The process is straightforward and includes the following steps:

• Vendor to complete an Initial Vendor Profile Questionnaire (IVPQ, approximately 25 questions)
• CORL will compare information on hand against scope information provided in the IVPQ
• If information is a match, CORL will obtain approval from the vendor to reuse the data
• A report using previous responses along with client-specific questions is sent to the vendor for review and update as necessary
• CORL will also leverage evidence (less than one year old or certifications that are still valid) previously provided by the vendor
• If prior evidence validation occurred via screen share, CORL will reperform the validation

Many clients and vendors find that data reuse significantly cuts down on turn-around times and minimizes sales and implementation delays.

We provide a quality assessment in an expedited timeframe, while reducing the assessment fatigue that many vendors experience. If you would like further information on this process, please do not hesitate to speak with your CORL Client Engagement Associate.

RELATED INFOGRAPHICS:

- Explaining CORL's Processes to Vendors 

CORL does not publish the results of your assessment. The results and identified gaps are shared only with the CORL client who requested the assessment and with whom you have an existing or pending business relationship. CORL does publish a Vendor Honor Roll to highlight vendors who are open to collaboration in communication, assessment response and remediation efforts. Honor Roll selection is not based on security posture or assessment results.

CORL is happy to sign an NDA if requested. We have a standard agreement that we provide if you wish to have an NDA in place prior to sharing data.

Yes. We have a contractual obligation to our clients to secure the information that you provide in response to this assessment. Vendor information is stored on CORL's secure servers located within the United States. Procedural and technical safeguards deployed at CORL include industry best practices and have been validated for SOC 2 Type 2 controls.

No. CORL bases vendor security assessments on the information shared directly by you. There is no requirement for CORL to directly access your system or to review client data that may be housed with your organization.

Data collected to assess a vendor’s security posture is collected for our client and used in assessing risk and determining risk remediation recommendations. The detailed data collected during that process may be shared or discussed with the client as needed to provide clarification of an identified deficiency or remediation recommendation.

You may be asked to remediate deficiencies or gaps identified during the assessment. The identified deficiencies are sent to you to provide information on compensating controls, a timeline for remediation, or the decision that your organization will not remediate the item. Compensating controls will be evaluated to determine if they lower the control risk to an acceptable level (as determined by the customer) and timelines/non-remediation decisions will be reviewed with the customer. If you provide a timeline for remediation, CORL will follow up with you to validate that the deficiency was corrected.