ReddRadar
Agent skill
vendor-security-questionnaire
Automated vendor security assessment through questionnaire generation, response parsing, and risk scoring
Install this agent skill to your Project
npx add-skill https://github.com/a5c-ai/babysitter/tree/main/library/specializations/security-compliance/skills/vendor-security-questionnaire
SKILL.md
Vendor Security Questionnaire Skill
Purpose
Automate vendor security assessment through standardized questionnaire generation, response parsing, security posture scoring, and risk report generation for third-party risk management programs.
Capabilities
Questionnaire Generation
- Generate industry-standard security questionnaires
- Create SIG (Standardized Information Gathering) questionnaires
- Build CAIQ (Consensus Assessment Initiative Questionnaire) forms
- Generate custom questionnaires based on risk tier
- Create vendor-type-specific assessments
- Support multiple response formats
Response Parsing and Analysis
- Parse questionnaire responses from various formats
- Extract key security control information
- Identify missing or incomplete responses
- Flag concerning answers for review
- Compare responses against requirements
- Validate evidence attachments
Security Posture Scoring
- Calculate vendor security scores
- Weight scores by control importance
- Compare against industry benchmarks
- Track score trends over time
- Generate risk-adjusted ratings
- Identify score improvement areas
Assessment Status Tracking
- Track assessment workflow status
- Monitor response deadlines
- Send automated reminders
- Escalate overdue assessments
- Maintain assessment history
- Archive completed assessments
Risk Report Generation
- Generate executive risk summaries
- Create detailed technical reports
- Produce comparison reports
- Build risk heat maps
- Generate board-level dashboards
- Export data for GRC systems
Vendor Compliance Monitoring
- Track vendor compliance commitments
- Monitor remediation progress
- Verify evidence of compliance
- Alert on compliance drift
- Schedule periodic reassessments
- Maintain compliance documentation
Questionnaire Standards
| Standard | Use Case | Questions |
|---|---|---|
| SIG Lite | Low-risk vendors | ~100 |
| SIG Core | Medium-risk vendors | ~300 |
| SIG Full | High-risk vendors | ~800+ |
| CAIQ | Cloud providers | ~300 |
| VSAQ | General vendors | Variable |
| Custom | Specific needs | Variable |
Assessment Domains
- Information Security Management
- Access Control
- Data Protection
- Network Security
- Application Security
- Physical Security
- Business Continuity
- Incident Response
- Compliance and Legal
- Third-Party Management
Integrations
- OneTrust: Third-party risk management
- ProcessUnity: Vendor risk management
- SecurityScorecard: Security ratings
- BitSight: Security ratings and benchmarks
- Prevalent: Third-party risk intelligence
- Shared Assessments: SIG questionnaire tools
Target Processes
- Third-Party Vendor Security Assessment
- Vendor Onboarding Security Review
- Annual Vendor Reassessment
- Vendor Risk Management
Input Schema
{
"type": "object",
"properties": {
"operation": {
"type": "string",
"enum": ["generate", "parse", "score", "report", "track"],
"description": "Questionnaire operation type"
},
"vendorInfo": {
"type": "object",
"properties": {
"vendorName": { "type": "string" },
"vendorId": { "type": "string" },
"vendorType": { "type": "string" },
"riskTier": { "type": "string", "enum": ["critical", "high", "medium", "low"] },
"dataAccess": { "type": "array", "items": { "type": "string" } }
}
},
"questionnaireType": {
"type": "string",
"enum": ["SIG-Lite", "SIG-Core", "SIG-Full", "CAIQ", "VSAQ", "custom"],
"description": "Questionnaire standard to use"
},
"customDomains": {
"type": "array",
"items": { "type": "string" },
"description": "Specific domains to assess"
},
"responseFile": {
"type": "string",
"description": "Path to questionnaire response file"
},
"scoringCriteria": {
"type": "object",
"properties": {
"minimumScore": { "type": "number" },
"criticalControls": { "type": "array" },
"weightings": { "type": "object" }
}
},
"deadline": {
"type": "string",
"format": "date",
"description": "Assessment completion deadline"
}
},
"required": ["operation"]
}
Output Schema
{
"type": "object",
"properties": {
"assessmentId": {
"type": "string"
},
"operation": {
"type": "string"
},
"timestamp": {
"type": "string",
"format": "date-time"
},
"vendorInfo": {
"type": "object"
},
"questionnaire": {
"type": "object",
"properties": {
"type": { "type": "string" },
"totalQuestions": { "type": "integer" },
"domains": { "type": "array" },
"filePath": { "type": "string" }
}
},
"responseAnalysis": {
"type": "object",
"properties": {
"questionsAnswered": { "type": "integer" },
"questionsSkipped": { "type": "integer" },
"evidenceProvided": { "type": "integer" },
"concerningResponses": { "type": "array" },
"missingInformation": { "type": "array" }
}
},
"securityScore": {
"type": "object",
"properties": {
"overallScore": { "type": "number" },
"riskRating": { "type": "string", "enum": ["low", "medium", "high", "critical"] },
"domainScores": {
"type": "array",
"items": {
"type": "object",
"properties": {
"domain": { "type": "string" },
"score": { "type": "number" },
"findings": { "type": "array" }
}
}
},
"benchmarkComparison": { "type": "object" },
"scoreHistory": { "type": "array" }
}
},
"riskFindings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"findingId": { "type": "string" },
"domain": { "type": "string" },
"severity": { "type": "string" },
"description": { "type": "string" },
"recommendation": { "type": "string" }
}
}
},
"assessmentStatus": {
"type": "object",
"properties": {
"status": { "type": "string" },
"deadline": { "type": "string" },
"daysRemaining": { "type": "integer" },
"remindersent": { "type": "boolean" }
}
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
},
"reportPath": {
"type": "string"
}
}
}
Usage Example
skill: {
name: 'vendor-security-questionnaire',
context: {
operation: 'generate',
vendorInfo: {
vendorName: 'Cloud SaaS Provider',
riskTier: 'high',
dataAccess: ['PII', 'financial']
},
questionnaireType: 'SIG-Core',
deadline: '2024-03-15'
}
}
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
a5c-ai/babysitter
gsd-tools
Central utility skill for GSD operations. Provides config parsing, slug generation, timestamps, path operations, and orchestrates calls to other specialized skills. Acts as the unified entry point that the original gsd-tools.cjs provided via its lib/ modules (commands, config, core, init).
a5c-ai/babysitter
model-profile-resolution
Resolve model profile (quality/balanced/budget) at orchestration start and map agents to specific models. Enables cost/quality tradeoffs by selecting appropriate AI models for each agent role.
a5c-ai/babysitter
verification-suite
Plan structure validation, phase completeness checks, reference integrity verification, and artifact existence confirmation. Provides the structured verification layer ensuring GSD artifacts are well-formed and complete.
a5c-ai/babysitter
state-management
STATE.md reading, writing, and field-level updates. Provides cross-session state persistence via .planning/STATE.md with structured fields for current task, completed phases, blockers, decisions, and quick tasks.
a5c-ai/babysitter
git-integration
Git commit patterns, formats, and conventions for GSD methodology. Provides atomic commits per task, structured commit messages, planning file commits, branch management, and milestone tag operations.
a5c-ai/babysitter
frontmatter-parsing
YAML frontmatter parsing and manipulation for .planning/ documents. Provides read, write, update, query, and validation operations on frontmatter blocks in GSD markdown artifacts.
Didn't find tool you were looking for?