Understanding the Assessment Workflow
Assessments are the questionnaires CORL submits to vendors to determine risk.
On October 9, CORL released a new feature that gives clients the option to accept a security certification (sec cert) from a vendor in lieu of completing an assessment questionnaire. This provides a streamlined process for both clients and vendors. For more information, see Accepting Security Certifications in Lieu of Questionnaires.
If you have questions regarding assessments, use the Support Desk to submit a ticket. For more information, see Obtain Support.
- Submit an assessment request in the Client Portal. For more information, see Request a New Vendor Assessment.
- The system creates a ticket and assigns it to the CORL Research team. Tip: You can view the status of your request in the Support Desk. For more information, see Obtain Support.
- The CORL Research team reviews the assessment request in the CORL Portal, makes any necessary changes, and creates the vendor, if necessary.
- The system assigns the request to the vendor and sends the vendor an email notification.
- If this is the first time the vendor is completing an assessment, they must complete the Onboarding Wizard to create a profile.
- The vendor completes the assessment in the Vendor Portal by answering the questions in the questionnaire or by providing a sec cert.
- CORL users can view the assessment progress in the CORL Portal.
- You can view the assessment progress in the Client Portal. For more information, see View the Assessments Queue.
- After the vendor submits the completed questionnaire or the sec cert in the Vendor Portal, the system creates a ticket and assigns the assessment to the CORL Audit team.
- The CORL Audit team reviews, grades, and scores the assessment in the CORL Portal and creates the Executive Summary report.
- You will receive notification that the assessment results are ready if you set your communication preferences to Notify Me. For more information, see Update Communication Preferences.
- You can review the results of the assessment in the Client Portal. For more information, see View the Executive Summary.
Understanding the Remediation Workflow
If CORL identifies risks during the assessment process, then the system creates a remediation plan and starts the remediation workflow.
The remediation workflow varies depending on your contract configuration, and whether you have elected vendor remediation.
Depending on your contract configuration, you may also have the option to override CORL's remediation recommendations and provide alternative recommendations.
Note that if you elect to accept sec certs, vendors do not undergo remediation.
Tip: You cannot view your contract configuration. If you need assistance, submit a ticket. For more information, see Obtain Support.
- The remediation workflow depends on your contract configuration:
- If Remediation Enabled is set to Yes, then vendors can be asked to remediate risk findings.
- If Remediation Preferences are checked, the system automatically requires vendors to remediate risk findings.
- If Review CORL Remediation Recommendations is set to Yes, you can review the system-generated remediation plan containing CORL's recommendations in the Client Portal prior to sending to the vendor. For more information, see Review Remediation Guidance.
- If Affordance for Alternate Remediation Guidance is set to Yes, you can make changes to the remediation plan and provide alternative recommendations in the Client Portal. For more information, see Review Remediation Guidance.
- The vendor receives notification of the remediation plan, reviews the remediation plan in the Vendor portal, and indicates which risks will be remediated.
- The vendor remediates the risk findings and updates the remediation plan in the Vendor Portal.
- The system creates a ticket and assigns it to the CORL Audit team.
- After the vendor remediates all risk findings, the Audit team updates the Executive Summary in the CORL portal.
- You receive the updated assessment results in the Client Portal. For more information, see View the Executive Summary.