This article explains residual likelihood scoring for a CORLcleared Executive Summary,
CORL grades vendors on an A through F scale.
Tier 1 requirements carry the most weight and dictate the letter grade. For each tier 1 requirement that a vendor misses, the grade falls by one letter.
How a vendor performs tier 2 to 4 requirements determines whether the score is a plus (+) or a minus (-).
Finally, there are security implementation capability requirements which finalize the grade. If the vendor does not meet these requirements, the final grade can be further reduced.
Topics in this article include:
- Key Indicators
- Thresholds
- Additional Scoring Rules
- Risk Rating Definitions
- Impact Level Definitions
- Likelihood Level Definitions
Key Indicators
| Tier | Key Requirement |
|---|---|
| 1 | PCI AOC / ROC |
| 1 | Security Certification / Validated Assessment |
| 1 | Organization level external / internal penetration tests |
| 1 | Application or device level penetration tests |
| 1 | Publicly report breaches in last 6 months |
| 1 | Dedicated Security Leader |
| 1 | Incident Response Plan |
| 2 | Cloud Hosting Security Tools & Services |
| 2 | Secure SDLC |
| 2 | Third Party Risk Management Program |
| 2 | Routine Secure Code Scan Practices |
| 2 | Cyber Liability Insurance |
| 3 | Disaster Recovery Plan |
| 3 | Disaster Recover Test |
| 3 | Phishing Test |
| 3 | Product Security Implementation & Configuration Documentation |
| 3 | MDS2 |
| 4 | 4th Party Disclosure |
| 4 | Off-Shore Attestation |
| 4 | SBOM |
| Incident Response Test |
Thresholds
| Grade | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|
| A+ | Missing 0 | Missing 0 | Missing 0 | Missing 0 |
| A | Missing 0 | Missing 1 | Missing 1 | Missing 1 |
| A- | Missing 0 | Missing 2 | Missing 2 | Missing 2 |
| B+ | Missing 1 | Missing 0 | Missing 0 | Missing 0 |
| B | Missing 1 | Missing 1 | Missing 1 | Missing 1 |
| B- | Missing 1 | Missing 2 | Missing 2 | Missing 2 |
| C+ | Missing 2 | Missing 0 | Missing 0 | Missing 0 |
| C | Missing 2 | Missing 1 | Missing 1 | Missing 1 |
| C- | Missing 2 | Missing > 1 | Missing > 1 | Missing > 1 |
| D- | Missing 3 | Missing 0 | Missing 0 | Missing 0 |
| D | Missing 3 | Missing 1 | Missing 1 | Missing 1 |
| D- | Missing 3 | Missing > 1 | Missing > 1 | Missing > 1 |
| F | Missing 4 or > |
Additional Scoring Rules
- If A- grade missing 3 or > from any tier 2, 3, & 4 OR missing 3 or > total across tiers 2, 3, & 4, THEN drop to B-.
- If B- grade missing 3 or > from any tier 2, 3, & 4 OR missing 3 or > total across tiers 2, 3, & 4, THEN drop to C-.
- If vendor has a breach in the past 6 months and proper remediation evidence has not been provided drop grade to F.
- If vendor does not have an adequate security certification and Final Grade is above C+ then drop to C+. If Final Grade is already below C+, then Final Grade will stay the same.
- If adequate security certification in place, then lowest grade possible is B- unless a breach took place in the past 6 months without remediation evidence being provided, then grade will default to F.
Risk Rating Definitions
While you are viewing an Executive Summary, click View Risk Rating Key for a detailed explanation of each risk impact level and a definition of each risk likelihood.
Risk Rating is a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence https://csrc.nist.gov/glossary/term/risk.
Impact Level Definitions
Impact is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. https://csrc.nist.gov/glossary/term/impact.
| Impact Level | Description |
|---|---|
| Very High | A vendor who receives all regulated or sensitive data on patients, employees, or internal company operations or who provides mission-critical or life-critical services. The compromise, failure, or disruption of the vendor's products or services would have an extreme impact on the operations, finances, or reputation of the client’s organization. |
| High | A vendor who receives most regulated or sensitive data on patients, employees, or internal company operations or who provides highly business-critical or highly patient-care-critical services. The compromise, failure, or disruption of the vendor's products or services would have a significant impact on the operations, finances, or reputation of the client’s organization. |
| Medium | A vendor who receives a subset of regulated or sensitive data on patients, employees, or internal company operations or who provides moderately business-critical or moderately patient-care-critical services. The compromise, failure, or disruption of the vendor's products or services would cause some inconvenience or disruption for the client, but it would not necessarily cause significant impact on the operations, finances, or reputation of the client’s organization. |
| Low | A vendor who receives only non-regulated or non-sensitive client data or who provides low business-critical or low patient-care-critical services. The compromise, failure, or disruption of the vendor's products or services would have minimal impact on the operations, finances, or reputation of the client’s organization and could likely be easily replaced or worked around. |
| Very Low | A vendor who does not receive data or who provides non-essential business services or services that have no patient care impact. The compromise, failure, or disruption of the vendor's products or services would have no material impact on the operations, finances, or reputation of the client’s organization and could be easily replaced or worked around. |
Likelihood Level Definitions
Likelihood is a chance of something happening; A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. https://csrc.nist.gov/glossary/term/likelihood.
| Likelihood | Description |
|---|---|
|
(A) Managed |
The assessment identified a security program that is implemented and aligned with reasonable industry practice. The likelihood of a breach is minimized to a level at which no remediation is necessary. |
|
(B) Low |
The assessment identified a security program that is implemented and mostly aligned with reasonable industry practice. Some remediation may be necessary, but there is a low likelihood of an immediate breach. |
| (C) Medium | The assessment identified a security program that is partially implemented and partially aligned with reasonable industry practice. Remediation activities should be identified and planned with corrections implemented in the near term to avoid a potential breach in the future. |
| (D) High | The assessment identified a security program that is minimally implemented and minimally aligned with industry best practice. Remediation activities should be identified and planned with corrections implemented as there is a high likelihood of an imminent breach |
| (F) Very High | The assessment identified a vulnerability that indicates an existing or imminent breach. Incident response activities should be activated. |
Comments
Article is closed for comments.