Use these terms and definitions to understand CORL's acronyms.
| Acronym | Term^ | Definition |
|---|---|---|
| Asmt: Preparing | Assessment Results: Preparing Summary | Program Metrics Assessment Status: Assessment. For more information, see CORL Assessment Status. |
| Asmt: Ready | Assessment Results: Ready for Review | Program Metrics Assessment Status: Remediation. For more information, see CORL Assessment Status. |
| Assurance | Independently validated controls by a third party (HITRUST, SOC auditors, etc.) | |
| AOC | Attestation of Compliance | The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance. |
| BOQ | Business Owner Questionnaire |
Used interchangeably with the term "IRQ" Inherent Risk Questionnaire. |
| Cert: Vendor | Certification Evidence: Awaiting vendor response | Program Metrics Assessment Status: Assessment. For more information, see CORL Assessment Status. |
| CISO | Chief Information Security Officer | A qualified individual responsible for overseeing and implementing the organization’s cybersecurity program and enforcing its cybersecurity policy. The CISO has authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain an effective cybersecurity program. |
| Complete | Complete: Awaiting guidance | Program Metrics Assessment Status: Remediation. For more information, see CORL Assessment Status. |
| Complete | Complete: No action required | Program Metrics Assessment Status: Remediation. For more information, see CORL Assessment Status. |
| CAP | Corrective Action Plan | A CAP outlines steps for addressing issues. |
| CXM | Customer Experience Manager |
The CORL CXM is the client’s main point of contact to discuss strategy, deliver feedback, and other business-related matters. The CXM helps ensure that the client has a successful experience with CORL. CXMs present the Quarterly Business Review (QBR) and maintain the client’s playbook to ensure all preferences are documented. |
| CVR | CORL Vendor Report | Pre-assessment report |
| DRU | Data Reuse | Data Reuse is providing the vendor with previously answered security questions for their review, edit, and modification to current client specifics. This process can reduce turnaround time and burden on the vendor. |
| DSS | Data Security Standard | The PCI DSS designates four levels of compliance based on transaction volume. |
| ES | Executive Summary | The main CORL assessment deliverable. The first section is an “Executive Summary”, and the remaining sections dive deeply into risks and the corresponding remediation activities and time frames. |
| Gap: Vendor | Gap Validation: Awaiting vendor response | Program Metrics Assessment Status: Assessment. For more information, see CORL Assessment Status. |
| Gap: Processing | Gap Validation: Processing vendor response | Program Metrics Assessment Status: Assessment. For more information, see CORL Assessment Status. |
| GRC | Governance, Risk, and Compliance | An organization's approach for managing GRC using a suite of software tools. |
| Impact | The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. https://csrc.nist.gov/glossary/term/impact. | |
| Impact Rating |
CORL calculates the Impact based on the volume and type of sensitive data that a vendor stores, transmits, or has access to for an organization. The Impact ranges from Very Low (Non-sensitive company data - training materials, etc.) to Very High (Regulated or Sensitive date for all patients or employees - EHR, claims system, etc.). Impact Rating numbers are mapped as following:
|
|
| Information System |
A discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems. |
|
| IRP | Initial Risk Profile | The IRP is a risk-ranked list of client vendors that prioritizes vendors for CORL assessment. |
| IRQ | Inherent Risk Questionnaire |
Used interchangeably with the term “BOQ” Business Owner Questionnaire. |
| IRQ: Client | Inherent Risk Questionnaire: Awaiting client response |
Program Metrics Assessment Status: Inherent Risk Questionnaire. For more information, see CORL Assessment Status. |
| IRQ: Processing | Inherent Risk Questionnaire: Processing client response |
Program Metrics Assessment Status: Inherent Risk Questionnaire. For more information, see CORL Assessment Status. |
| IRQ: Ready | Inherent Risk Questionnaire: Preparing Summary |
Program Metrics Assessment Status: Inherent Risk Questionnaire. For more information, see CORL Assessment Status. |
| IVPQ | Initial Vendor Profile Questionnaire | The “scoping questionnaire.” The IVPQ is made up of the Vendor Profile Questionnaire and Scope tabs from the "VSQ" or Vendor Security Questionnaires. It is the first thing CORL sends to a client’s vendor to understand scope of services / products in use as well as the environment (on premise, cloud, etc.). |
| Likelihood | Chance of something happening; A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. https://csrc.nist.gov/glossary/term/likelihood. | |
| Likelihood / CORL Confidence Score |
The Likelihood Score (represented by CORL Confidence Score on an A to F scale) is based on the capabilities of a vendor to protect an organization’s data and avoid a breach. Number ranges from 0 to 10 mapped to the A to F scale are adjusted for threshold of assessment. |
|
| MDS2 | Manufacturer Disclosure Statement for Medical Device Security | The MDS2 is part of the security procurement process. The MDS2 clarifies roles and responsibilities of manufacturers and healthcare delivery organizations for the upkeep and maintenance of a connected device security posture. The form is completed by the manufacturer and provided to healthcare delivery organizations upon request. For more information, see https://www.nema.org/Standards/view/Manufacturer-Disclosure-Statement-for-Medical-Device-Security |
| MFA | Multi-Factor Authentication | Authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; or (2) Possession factors, such as a token or text message on a mobile phone; or (3) Inherence factors, such as a biometric characteristic. |
| NDA | Non-Disclosure Agreement | Non-disclosure agreements are legal contracts that prohibit someone from sharing information deemed confidential. The confidential information is defined in the agreement which includes, but not limited to, proprietary information, trade secrets, and any other details which may include personal information or events. |
| NDA: Vendor | NDA: Awaiting vendor response | Program Metrics Assessment Status: Assessment. For more information, see CORL Assessment Status. |
| PCI | Payment Card Industry | The PCI Security Standards Council (PCI SSC) is a global forum that brings together payment industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide. |
| Penetration Testing | Testing the security of information systems by attempting to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside the organization. | |
| Pre: Preparing | Pre-Assessment: Preparing Summary | Program Metrics Assessment Status: Pre-Assessment. For more information, see CORL Assessment Status. |
| PHI | Protected Health Information |
PHI is any information that applies to a health condition now, in the past, or in the future. If health information includes data that would let somebody identify the patient, it is classified as PHI (18 elements total)
(1) Patient Name
(2) Patient Addresses
(3) Dates (birth, etc.)
(4) Phone Numbers
(5) Fax Numbers
(6) E-mail Addresses
(7) Social Security #s
(8) Medical Record Numbers
(9) Health Plan Beneficiary #s
(10) Account Numbers
(11) Certificate/license #s
(12) Vehicle identifiers/serial #s
(13) Device identifiers/serial #s
(14) Web URLs
(15) IP Addresses
(16) Biometric identifiers (fingerprints, etc.)
(17) Full face/comparable photos
(18) Other unique Identifying number, characteristic, or code
|
| POC | Point of Contact | Vendors point of contact information is required for CORL to engage with and email the vendor to initiate and complete risk assessments. |
| Privileged Account | Any authorized user account or service account that can be used to perform security-relevant functions that ordinary users are not authorized to perform, including but not limited to the ability to add, change or remove other accounts, or make configuration changes to information systems to make them more or less secure. | |
| PSQ | Product Security Questionnaire | |
| QA | Quality Assurance | QA is a process to ensure the confidence of results. |
| QBR | Quarterly Business Review | This deliverable is presented quarterly to show progress of the assessments and overall risk reduction to the client organization. |
| QSA | Quality Security Assessor | A qualification issued by the PCI Security Standards Council. |
| Rem: Vendor | Remediation: Awaiting vendor response | Program Metrics Assessment Status: Remediation. For more information, see CORL Assessment Status. |
| Rem: Preparing | Remediation: Preparing Summary | Program Metrics Assessment Status: Remediation. For more information, see CORL Assessment Status. |
| Rem: Processing | Remediation: Processing vendor response | Program Metrics Assessment Status: Remediation. For more information, see CORL Assessment Status. |
| RA | Risk Advisor | The Risk Advisor Team is responsible for all technical reviews and knowledge of vendor assessments. They are available to answer security questions related to the CORL Assessment deliverables. The RA has knowledge of the VSQs and evidence reviews, and process documented via the Client Playbook. RAs present the QBR and serve as the CORL technical security expert. |
| Risk Rating | A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence https://csrc.nist.gov/glossary/term/risk. | |
| RBAC | Role-Based Access Control | Role-based access control is based on a person's role within the organization. |
| REM | Remediation | The process of correcting security risks. |
| RFP | Request for Proposal | A request for proposal (RFP) seeks out vendors and contractors that can supply a company with necessary products and services that fall outside of what the soliciting organization can provide internally. The RFP, then, is a document to source that work and allow vendors and contractors to bid for the work. |
| RoC | Report on Compliance | A PCI Report on Compliance (RoC) is an assessment that tests security controls that protect cardholder data. The report details whether the company meets all 12 requirements of the PCI DSS standard and notes any deficiencies discovered during the assessment. |
| Risk Assessment | The process of identifying, estimating and prioritizing cybersecurity risks to organizational operations (including mission, functions, image and reputation), organizational assets, individuals, customers, consumers, other organizations and critical infrastructure resulting from the operation of an information system. Risk assessments incorporate threat and vulnerability analyses, and consider mitigations provided by security controls planned or in place. | |
| Risk Rating (Qualitative) |
|
|
|
Risk Rating (Quantitative) |
Risk Rating = Likelihood x Impact 0 to 100 scale (0 to 10 Likelihood multiplied by 0 to 10 Impact) 0 least risky to 100 riskiest |
|
| Scope: Processing | Scoping Questionnaire: Processing vendor response |
Program Metrics Assessment Status: Assessment. For more information, see CORL Assessment Status. |
| Scope: Vendor | Scoping Questionnaire: Awaiting vendor response |
Program Metrics Assessment Status: Assessment. For more information, see CORL Assessment Status. |
| Sector | The detailed level industry that the vendor works within (e.g., Business Services – Security/Privacy, Software – Mobile Device Applications, etc.). | |
| Sector Group | The high-level industry the vendor works within (e.g., Business Services, Software, Consulting, etc.). | |
| Sec: Vendor | Security Questionnaire: Awaiting vendor response | Program Metrics Assessment Status: Assessment. For more information, see CORL Assessment Status. |
| Sec: Processing | Security Questionnaire: Processing vendor response | Program Metrics Assessment Status: Assessment. For more information, see CORL Assessment Status. |
| Senior Governing Body | The board of directors (or an appropriate committee thereof) or equivalent governing body or, if neither of those exist, the senior officer or officers responsible for the cybersecurity program. | |
| Senior Officer | The senior individual (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk. | |
| SLA | Service Level Agreement | An SLA functions as a documented understanding between the entity providing the service and the entity receiving the benefits of the service. Although traditional SLAs define service expectations between vendors and customers, they may also be employed between departments within the same organization. |
| SBOM | Software Bill of Materials | A software bill of materials is a list of components in a piece of software. Software vendors often create products by assembling open source and commercial software components. The SBOM describes the components in a product. |
| SDLC | Software (or System) Development Life Cycle | The SDLC is a process for planning, creating, testing, and deploying an information system. |
| SOW | Statement of Work | A statement of work is the description of a project's work requirements that defines project-specific activities, deliverables, and timelines. |
| Terminated | Complete: Terminated | Program Metrics Assessment Status: Remediation. For more information, see CORL Assessment Status. |
| TPRM | Third Party Risk Management | Third-Party Risk Management (TPRM) is the process of analyzing and minimizing risks associated with outsourcing to third-party vendors or service providers. |
| Threshold |
|
|
| Threshold 1 |
Publicly available information obtained without vendor's input (company size from the company's website)
|
|
| Threshold 2 |
No evidence tested or no assurance about the response to a questionnaire completed by the vendor.
|
|
| Threshold 3 |
We have assurance (tested or certification) regarding a portion of the control environment.
|
|
| Threshold 4 |
We have assurance about the vendor's security program. For some clients this is a certification, for other clients this is a certification + testing of key controls.
|
|
| Vendor |
A company that is assessed by CORL.
|
|
| VPQ | Vendor Profile Questionnaires |
|
| VRAS | Vendor Risk Assessment Summary | A vendor risk assessment is a questionnaire used to identify and evaluate the liability associated with buying goods and services from third parties. |
| VSQ | Vendor Security Questionnaire | |
| VSRM | Vendor Security Risk Management | Vendor security risk management is a risk management discipline that focuses on pinpointing and mitigating risks associated with vendors. |