Overview
Assessments are the questionnaires CORL submits to vendors.
After you submit a request for an assessment, there is a time lag while CORL processes your request. You can view the Assessment Queue to determine the status of your request.
Tip: It may take up to 48 hours after you submit a request for an assessment for the assessment count to update. You can view the status of your request in the Support Desk. For more information, see Obtain Support.
If you are a CORLcleared customer, and all of your lanes are in use, you can view the assessment queue to see which assessments are waiting for an available lane.
- If you want to request a new assessment, do any of the following:
- While you are viewing the Command Center, click Create New Assessment Request.
- Navigate to Assessments and click Request Assessment.
- Navigate to Assessments > Assessments Overview and click New Assessment Request.
The Assessment Request window displays. For more information, go to Request a New Vendor Assessment.
- If you want to view all assessments (open, vendor remediation, closed), navigate to Assessments > Assessments Overview. For more information, see View the Assessments Queue.
- If you want to view Executive Summary assessments reports, navigate to Assessments > Assessments Overview. For more information, see View the Assessments Queue.
- If you want to view detailed information regarding completed assessments, navigate to Assessments > Program Metrics. For more information, see Introduction to Program Metrics.
- If you want to view detailed information regarding vendors, navigate to Vendors > Dynamic Vendor Roster. For more information, see Introduction to Dynamic Vendor Roster Dashboard.
- If you want to understand the status of an assessment, see CORL Assessment Status.
- If you have questions regarding assessments, use the Support Desk to submit a ticket. For more information, see to Support.
Selecting Vendors to Assess
How do we select which vendors to assess? While we would like to use the same process for all vendors across the board, we realize that these assessments are not going to apply to all vendors.
We recommend tiering your vendors and focus on assessing vendors that can access your IT environment or sensitive data such as credit card data, PHI, or PII.
For lower tiered vendors you may want to explore other due diligence options. For example, if you have a vendor that collects up trash you may want to request background checks of the employees and ensure that employees review and sign off on an Acceptable Use Policy. You may also want to request completion of basic security training if it makes sense.
From a regulatory standpoint, it’s important that you document your approach and perform a level of due diligence that is commensurate to the service being provided from the vendor. For example:
- Tier 1 and Tier 2 vendors: Complete an annual CORLcleared Assessment.
- Tier 3 vendors: Complete a CORL Cleared Assessment every 2 years.
- Tier 4 vendors: Based on services provided, may only be subject to background checks/ screens (or confirmation of), AUP, security training, etc.
You can also require an unvalidated (no evidence) assessment approach with a smaller questionnaire for lower tiered vendors that pose little risk.
Comments
Article is closed for comments.