home / skills / a5c-ai / babysitter / vendor-security-questionnaire
This skill automates vendor security assessments by generating standardized questionnaires, parsing responses, scoring risk, and producing actionable risk
npx playbooks add skill a5c-ai/babysitter --skill vendor-security-questionnaireReview the files below or copy the command above to add this skill to your agents.
---
name: vendor-security-questionnaire
description: Automated vendor security assessment through questionnaire generation, response parsing, and risk scoring
allowed-tools:
- Bash
- Read
- Write
- Glob
- Grep
- WebFetch
---
# Vendor Security Questionnaire Skill
## Purpose
Automate vendor security assessment through standardized questionnaire generation, response parsing, security posture scoring, and risk report generation for third-party risk management programs.
## Capabilities
### Questionnaire Generation
- Generate industry-standard security questionnaires
- Create SIG (Standardized Information Gathering) questionnaires
- Build CAIQ (Consensus Assessment Initiative Questionnaire) forms
- Generate custom questionnaires based on risk tier
- Create vendor-type-specific assessments
- Support multiple response formats
### Response Parsing and Analysis
- Parse questionnaire responses from various formats
- Extract key security control information
- Identify missing or incomplete responses
- Flag concerning answers for review
- Compare responses against requirements
- Validate evidence attachments
### Security Posture Scoring
- Calculate vendor security scores
- Weight scores by control importance
- Compare against industry benchmarks
- Track score trends over time
- Generate risk-adjusted ratings
- Identify score improvement areas
### Assessment Status Tracking
- Track assessment workflow status
- Monitor response deadlines
- Send automated reminders
- Escalate overdue assessments
- Maintain assessment history
- Archive completed assessments
### Risk Report Generation
- Generate executive risk summaries
- Create detailed technical reports
- Produce comparison reports
- Build risk heat maps
- Generate board-level dashboards
- Export data for GRC systems
### Vendor Compliance Monitoring
- Track vendor compliance commitments
- Monitor remediation progress
- Verify evidence of compliance
- Alert on compliance drift
- Schedule periodic reassessments
- Maintain compliance documentation
## Questionnaire Standards
| Standard | Use Case | Questions |
|----------|----------|-----------|
| SIG Lite | Low-risk vendors | ~100 |
| SIG Core | Medium-risk vendors | ~300 |
| SIG Full | High-risk vendors | ~800+ |
| CAIQ | Cloud providers | ~300 |
| VSAQ | General vendors | Variable |
| Custom | Specific needs | Variable |
## Assessment Domains
- Information Security Management
- Access Control
- Data Protection
- Network Security
- Application Security
- Physical Security
- Business Continuity
- Incident Response
- Compliance and Legal
- Third-Party Management
## Integrations
- **OneTrust**: Third-party risk management
- **ProcessUnity**: Vendor risk management
- **SecurityScorecard**: Security ratings
- **BitSight**: Security ratings and benchmarks
- **Prevalent**: Third-party risk intelligence
- **Shared Assessments**: SIG questionnaire tools
## Target Processes
- Third-Party Vendor Security Assessment
- Vendor Onboarding Security Review
- Annual Vendor Reassessment
- Vendor Risk Management
## Input Schema
```json
{
"type": "object",
"properties": {
"operation": {
"type": "string",
"enum": ["generate", "parse", "score", "report", "track"],
"description": "Questionnaire operation type"
},
"vendorInfo": {
"type": "object",
"properties": {
"vendorName": { "type": "string" },
"vendorId": { "type": "string" },
"vendorType": { "type": "string" },
"riskTier": { "type": "string", "enum": ["critical", "high", "medium", "low"] },
"dataAccess": { "type": "array", "items": { "type": "string" } }
}
},
"questionnaireType": {
"type": "string",
"enum": ["SIG-Lite", "SIG-Core", "SIG-Full", "CAIQ", "VSAQ", "custom"],
"description": "Questionnaire standard to use"
},
"customDomains": {
"type": "array",
"items": { "type": "string" },
"description": "Specific domains to assess"
},
"responseFile": {
"type": "string",
"description": "Path to questionnaire response file"
},
"scoringCriteria": {
"type": "object",
"properties": {
"minimumScore": { "type": "number" },
"criticalControls": { "type": "array" },
"weightings": { "type": "object" }
}
},
"deadline": {
"type": "string",
"format": "date",
"description": "Assessment completion deadline"
}
},
"required": ["operation"]
}
```
## Output Schema
```json
{
"type": "object",
"properties": {
"assessmentId": {
"type": "string"
},
"operation": {
"type": "string"
},
"timestamp": {
"type": "string",
"format": "date-time"
},
"vendorInfo": {
"type": "object"
},
"questionnaire": {
"type": "object",
"properties": {
"type": { "type": "string" },
"totalQuestions": { "type": "integer" },
"domains": { "type": "array" },
"filePath": { "type": "string" }
}
},
"responseAnalysis": {
"type": "object",
"properties": {
"questionsAnswered": { "type": "integer" },
"questionsSkipped": { "type": "integer" },
"evidenceProvided": { "type": "integer" },
"concerningResponses": { "type": "array" },
"missingInformation": { "type": "array" }
}
},
"securityScore": {
"type": "object",
"properties": {
"overallScore": { "type": "number" },
"riskRating": { "type": "string", "enum": ["low", "medium", "high", "critical"] },
"domainScores": {
"type": "array",
"items": {
"type": "object",
"properties": {
"domain": { "type": "string" },
"score": { "type": "number" },
"findings": { "type": "array" }
}
}
},
"benchmarkComparison": { "type": "object" },
"scoreHistory": { "type": "array" }
}
},
"riskFindings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"findingId": { "type": "string" },
"domain": { "type": "string" },
"severity": { "type": "string" },
"description": { "type": "string" },
"recommendation": { "type": "string" }
}
}
},
"assessmentStatus": {
"type": "object",
"properties": {
"status": { "type": "string" },
"deadline": { "type": "string" },
"daysRemaining": { "type": "integer" },
"remindersent": { "type": "boolean" }
}
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
},
"reportPath": {
"type": "string"
}
}
}
```
## Usage Example
```javascript
skill: {
name: 'vendor-security-questionnaire',
context: {
operation: 'generate',
vendorInfo: {
vendorName: 'Cloud SaaS Provider',
riskTier: 'high',
dataAccess: ['PII', 'financial']
},
questionnaireType: 'SIG-Core',
deadline: '2024-03-15'
}
}
```
This skill automates third-party vendor security assessments by generating standardized questionnaires, parsing responses, and producing risk scores and reports. It streamlines vendor onboarding, reassessment, and continuous compliance monitoring for security and procurement teams. The workflow supports industry standards like SIG and CAIQ and outputs machine-readable analysis for GRC integrations.
Provide an operation (generate, parse, score, report, track) and vendor context to create or evaluate questionnaires. The skill generates SIG/CAIQ/custom forms, ingests response files, extracts control evidence, flags missing or concerning answers, and computes weighted security posture scores. It produces structured findings, recommendations, and exportable reports while tracking assessment status and deadlines.
What questionnaire standards are supported?
SIG-Lite, SIG-Core, SIG-Full, CAIQ, VSAQ and custom questionnaires are supported.
Can the skill validate evidence attachments?
Yes. It checks for presence of evidence, flags missing attachments, and can validate basic file types and expected artifacts.
How are scores weighted?
Scores use configurable weightings and critical control lists; you can set minimum scores and custom weight maps via the scoringCriteria input.