Client Portal CORLcleared FAQs

CORLcleared is an innovative healthcare security assessment solution that enables healthcare payors and providers to spend less time reviewing security questionnaires and have better ongoing visibility into the security posture of their vendors.

CORLcleared Clients can solve the scale problem in TPRM by asking vendors to prove their security posture through key artifacts. CORLcleared sets 19 requirements that provide validated insight into the vendor’s security posture at a breadth and depth that typical control questionnaires cannot match.

The vendor knows from the moment they engage a CORLcleared subscribed prospective customer in an RFP what that customer’s security expectations are. Rather than exchanging multi-hundred question questionnaire, the vendor simply needs to share the prescribed artifacts requested by CORLcleared. This removes the complexity, time delay, and manual effort for both the vendor and client.

Historically, vendor security assessments included a vast superset of highly granular controls. While relevant to an organization's security posture, many of these controls were also duplicative with widely accepted assurance frameworks and represented a resource intensive effort on the part of the vendor—who had to respond—and the healthcare organization—who had to validate each individual control.

At CORL, we believe that rigor and velocity need not come at the expense of one another, and we are committed to reducing friction in the TPRM process for all parties involved. We are similarly focused on making sure risk evaluation drives risk reduction. Our CORL Cleared methodology gets us closer to both goals.
The CORL Cleared methodology focuses on key indicators of security posture, radically accelerates the contracting process, and effectively provides greater assurance through a far smaller number of requirements. Several of these requirements build upon the collective efforts of widely respected assurance frameworks that already validate at the granular control level. This allows CORL to 'stand on the shoulders of giants' and make meaningful progress towards solving the TPRM challenge for healthcare.

CORLcleared Clients can the scale problem in TPRM by putting the onus back on the vendor to prove its own security posture. CORLcleared is based on assurance and validation. Rather than exchanging self-attested, multi-hundred question control-based questionnaires, CORLcleared Clients assess vendors against a set of 19 requirements that demonstrate a vendor’s security posture. This approach speeds the assessment process and reduces the overwhelm that clients experience in needing to review hundreds of control responses.

Additionally, many vendors achieve CORLcleared status before you ever assess them. That means that they’ve seen our methodology, believe in it, and have asked to be assessed by CORL proactively in anticipation of more CORL clients doing business with them. When a vendor is proactively CORLcleared, your assessment duration effectively drops to a single day because the vendor is ready to instantly share its Executive Summary and assessment artifacts with you immediately upon your request for assessment.

CORLcleared is an indicator that a vendor is transparently sharing risk information to prospective customers at high velocity. It is not tied to a risk rating. A vendor may choose to become CORLcleared even if they do not meet all 19 requirements. Regardless of how many requirements the vendor meets, to be designated as CORLcleared they must publish the results of their assessment results to the CORL portal and be willing to share the Executive Summary and artifacts that were validated to produce that result to prospective customers who want to do business with them and perform security due diligence on them.

The CORLcleared questionnaire uses a completely new methodology to assess a vendor. The legacy questionnaire asks the vendor to answer hundreds of control questions and then CORL assigns a risk score based on the answers and that score only applies at that point in time. The CORLcleared methodology shifts the burden of proof from the organization/client/CORL to the vendor and their auditors to confirm that a reliable and comprehensive control environment is in place to protect data.

For example, in the traditional method, a CISO must defend to a regulator or plaintiff’s lawyer how they determined a vendor is secure based on the type of questionnaire, the analysis of vendor responses, the validation of information, and the follow-up on findings. There are a wide range of expert opinions about what is the appropriate “level” of due diligence required for a vendor assessment. In the new model, the CISO will reference the certifying body and the assessor as the authority about the vendor’s security practices.  In this model, the CISO only has to defend why they relied on generally adopted industry standards/certifications. The new methodology provides greater assurance about security while diminishing the compliance or regulatory exposure for the CISO and their organization.

The CORLcleared questionnaire asks the vendor to provide 19 artifacts. These artifacts provide assurance about the vendor’s security program (aka “hygiene”) and product security features. The artifacts also reflect a comprehensive insight into the control environment of the vendor versus the few hundred controls on a questionnaire.  The primary CORLcleared questionnaire requirement is proof of a security certification or assurance from an unbiased independent assessor such as SOC 2 Type 2, HITRUST, ISO 27001, or FedRAMP. This approach replaces all the individual control questions because that level of detail is covered by the certification and shifts proof of compliance to the vendor.

The second key CORLcleared questionnaire requirement is proof of penetration testing. The results of the test provide key insights into the vendor’s approach to security and indicate the risk of breach from un-remediated vulnerabilities. Even more importantly, if the vendor is not performing penetration testing, we know that they are at considerable risk of breach.

The challenge with the control-based questionnaires is that we are spending a lot of time assessing the vendor’s ability to meet specific control requirements at a specific point in time. The new CORLcleared questionnaire takes a different approach and makes the vendor responsible for providing proof of a strong security program. CORLcleared assesses the vendor’s overall security hygiene and determines whether the vendor can quickly respond to and recover from a breach.

For example, a traditional questionnaire will have questions about configuration, vulnerability, monitoring, and deployment management controls.  The assessor is required to read proprietary documentation to understand each management control and their integration. In the CORLcleared method, CORL reviews the certification to confirm that these controls are in place based on hundreds of hours of testing by auditors. CORL also reviews the penetration test to confirm that the controls are operating effectively. The certification also provides some assurance that the vendor has the team and processes to sustain this control environment in the future.

No, we’re sorry but for the new approach to work we must use the same questionnaire for every vendor and for every client. The reason is that the new approach allows the vendors to elect to become CORLcleared and then provide the same questionnaire responses to multiple CORL clients.

In addition, having all vendors answer the same questionnaire allows us to provide you with risk reporting and benchmarking based on industry sector.

The vendor can complete a HITRUST e1 certification with just 44 controls. As the organization grows, they can move up to a HITRUST i1 certification and eventually to the full HITRUST r2 certification. The HITRUST e1 certification provides assurance that the vendor has a basic security program in place. The vendor can then share the certification with any of their customers that inquire about their security program.

Yes, but renewing the certificate is quick and easy.

The new CORLcleared approach provides a remediation path for each of the 19 requirements. CORL will work with the vendor to remediate the gaps and will hold the vendor accountable for remediation in 90-day increments.

Many of the large cloud service providers (Google, Microsoft, Amazon) maintain trust centers showing all of their security certifications. Several clients have asked us what happens if their cloud service provider won’t complete a questionnaire because they feel the information in their trust center is sufficient.

Currently our practice is to ask the cloud service provider to provide an exact link to the certificate in their trust center to use. Our Audit team will inspect the certificate to verify it covers the product or service in question, is current, and has no material deficiencies.

We will mark the vendor inadequate on all of the other requirements. Because we believe the security certification is the most important requirement, our grading algorithm places a floor B- on an assessment that reveals a valid and current security certification. If the vendor offers more artifacts for the other 18 CORLcleared requirements, their grade can improve above a B-.

No, we’re getting away from emails and spreadsheets because emails go astray, files get corrupt, and so on. CORLcleared relies on the use of the CORL portal for both clients and vendors. The CORL portal facilitates the entire assessment process by providing everything in one easy to use place. As a client, you can manage the entire assessment process from beginning to end in the CORL portal. You can request an assessment, view the results of the assessment, view reports showing your third-party risk, and so much more. A vendor can complete both the assessment and the remediation in the CORL portal making it super easy to track their progress towards remediation.

You can still email CORLVSRM@CORLtech.com no problem. The email will now automatically create a ticket in the support system. The ticket ensures your request won’t be lost and will be tracked through to resolution. You can interact with the ticket using email or you can view the ticket in the CORL portal by clicking the question mark icon to access the Help Desk. There are also several options for creating tickets directly in the CORL portal. Even if you create a ticket directly in the CORL portal, you’ll still receive an email.

No, we’re sorry but at this time we don’t have a live chat or even a chat bot, but you can send an email or open a ticket to ask your questions. The CORL portal also has documentation which may help to answer some of your questions.

No, we’re sorry but we can’t provide a test environment. However, we will be more than happy to provide training and to walk you through your first assessment. We can provide workshops to walk you through requesting an assessment, viewing your first Executive Summary, and understanding the reporting options available in the CORL portal.

You’ll still receive the Executive Summary in Microsoft Word format, but you’ll also be able to view the Executive Summary in the CORL portal. We think you’ll like the CORL portal version better because the display is easier to read and lets you expand and collapse sections rather than scroll through a long Word file. In addition, you’ll have the option to dig into the details of the vendor’s assessment responses and work with CORL to plan remediation, if necessary. You can also provide feedback on the Executive Summary directly in the CORL portal.

In addition, you can export the Executive Summary as a PDF if you want to share the results with others in your organization.

The PowerBI reports are no longer available. They have been replaced by a series of interactive dashboards and reports that are available in the Program Metrics section. (Navigate to Assessments > Program Metrics.) We think you’ll love the new reports because they present you with a clear picture of your overall vendor risk. There is extensive online documentation that will help you understand each of the reports and dashboards.

Anyone you add to the CORL portal as a user can access the CORL portal. You can add as many users as you like.

The base offering of CORLcleared does not include the pre-assessment service because we want to streamline the process and because there is overlap between pre-assessment questions and the CORLcleared questionnaire. However, you do have the option to purchase pre-assessments as an additional service on top of CORLcleared for an additional cost. Please contact CORLVSRM@CORLtech.com if you would like more information.

You can click the CORL icon in the bottom left corner to view the latest release notes. Additionally, CORL sends emails to current customers with release highlights.

You have a couple of options. You can submit a ticket and we’ll route your suggestions to our Product Team, or you can participate in our Client Advisory Board (CAB). The CAB is a group of CORL clients who are interested in directing the future of third-party risk management and we always welcome new members. Again, submit a ticket and we’ll route your request to the right team.