Babysitter vendor-security-questionnaire
Automated vendor security assessment through questionnaire generation, response parsing, and risk scoring
install
source · Clone the upstream repo
git clone https://github.com/a5c-ai/babysitter
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/a5c-ai/babysitter "$T" && mkdir -p ~/.claude/skills && cp -r "$T/library/specializations/security-compliance/skills/vendor-security-questionnaire" ~/.claude/skills/a5c-ai-babysitter-vendor-security-questionnaire && rm -rf "$T"
manifest:
library/specializations/security-compliance/skills/vendor-security-questionnaire/SKILL.mdsource content
Vendor Security Questionnaire Skill
Purpose
Automate vendor security assessment through standardized questionnaire generation, response parsing, security posture scoring, and risk report generation for third-party risk management programs.
Capabilities
Questionnaire Generation
- Generate industry-standard security questionnaires
- Create SIG (Standardized Information Gathering) questionnaires
- Build CAIQ (Consensus Assessment Initiative Questionnaire) forms
- Generate custom questionnaires based on risk tier
- Create vendor-type-specific assessments
- Support multiple response formats
Response Parsing and Analysis
- Parse questionnaire responses from various formats
- Extract key security control information
- Identify missing or incomplete responses
- Flag concerning answers for review
- Compare responses against requirements
- Validate evidence attachments
Security Posture Scoring
- Calculate vendor security scores
- Weight scores by control importance
- Compare against industry benchmarks
- Track score trends over time
- Generate risk-adjusted ratings
- Identify score improvement areas
Assessment Status Tracking
- Track assessment workflow status
- Monitor response deadlines
- Send automated reminders
- Escalate overdue assessments
- Maintain assessment history
- Archive completed assessments
Risk Report Generation
- Generate executive risk summaries
- Create detailed technical reports
- Produce comparison reports
- Build risk heat maps
- Generate board-level dashboards
- Export data for GRC systems
Vendor Compliance Monitoring
- Track vendor compliance commitments
- Monitor remediation progress
- Verify evidence of compliance
- Alert on compliance drift
- Schedule periodic reassessments
- Maintain compliance documentation
Questionnaire Standards
| Standard | Use Case | Questions |
|---|---|---|
| SIG Lite | Low-risk vendors | ~100 |
| SIG Core | Medium-risk vendors | ~300 |
| SIG Full | High-risk vendors | ~800+ |
| CAIQ | Cloud providers | ~300 |
| VSAQ | General vendors | Variable |
| Custom | Specific needs | Variable |
Assessment Domains
- Information Security Management
- Access Control
- Data Protection
- Network Security
- Application Security
- Physical Security
- Business Continuity
- Incident Response
- Compliance and Legal
- Third-Party Management
Integrations
- OneTrust: Third-party risk management
- ProcessUnity: Vendor risk management
- SecurityScorecard: Security ratings
- BitSight: Security ratings and benchmarks
- Prevalent: Third-party risk intelligence
- Shared Assessments: SIG questionnaire tools
Target Processes
- Third-Party Vendor Security Assessment
- Vendor Onboarding Security Review
- Annual Vendor Reassessment
- Vendor Risk Management
Input Schema
{ "type": "object", "properties": { "operation": { "type": "string", "enum": ["generate", "parse", "score", "report", "track"], "description": "Questionnaire operation type" }, "vendorInfo": { "type": "object", "properties": { "vendorName": { "type": "string" }, "vendorId": { "type": "string" }, "vendorType": { "type": "string" }, "riskTier": { "type": "string", "enum": ["critical", "high", "medium", "low"] }, "dataAccess": { "type": "array", "items": { "type": "string" } } } }, "questionnaireType": { "type": "string", "enum": ["SIG-Lite", "SIG-Core", "SIG-Full", "CAIQ", "VSAQ", "custom"], "description": "Questionnaire standard to use" }, "customDomains": { "type": "array", "items": { "type": "string" }, "description": "Specific domains to assess" }, "responseFile": { "type": "string", "description": "Path to questionnaire response file" }, "scoringCriteria": { "type": "object", "properties": { "minimumScore": { "type": "number" }, "criticalControls": { "type": "array" }, "weightings": { "type": "object" } } }, "deadline": { "type": "string", "format": "date", "description": "Assessment completion deadline" } }, "required": ["operation"] }
Output Schema
{ "type": "object", "properties": { "assessmentId": { "type": "string" }, "operation": { "type": "string" }, "timestamp": { "type": "string", "format": "date-time" }, "vendorInfo": { "type": "object" }, "questionnaire": { "type": "object", "properties": { "type": { "type": "string" }, "totalQuestions": { "type": "integer" }, "domains": { "type": "array" }, "filePath": { "type": "string" } } }, "responseAnalysis": { "type": "object", "properties": { "questionsAnswered": { "type": "integer" }, "questionsSkipped": { "type": "integer" }, "evidenceProvided": { "type": "integer" }, "concerningResponses": { "type": "array" }, "missingInformation": { "type": "array" } } }, "securityScore": { "type": "object", "properties": { "overallScore": { "type": "number" }, "riskRating": { "type": "string", "enum": ["low", "medium", "high", "critical"] }, "domainScores": { "type": "array", "items": { "type": "object", "properties": { "domain": { "type": "string" }, "score": { "type": "number" }, "findings": { "type": "array" } } } }, "benchmarkComparison": { "type": "object" }, "scoreHistory": { "type": "array" } } }, "riskFindings": { "type": "array", "items": { "type": "object", "properties": { "findingId": { "type": "string" }, "domain": { "type": "string" }, "severity": { "type": "string" }, "description": { "type": "string" }, "recommendation": { "type": "string" } } } }, "assessmentStatus": { "type": "object", "properties": { "status": { "type": "string" }, "deadline": { "type": "string" }, "daysRemaining": { "type": "integer" }, "remindersent": { "type": "boolean" } } }, "recommendations": { "type": "array", "items": { "type": "string" } }, "reportPath": { "type": "string" } } }
Usage Example
skill: { name: 'vendor-security-questionnaire', context: { operation: 'generate', vendorInfo: { vendorName: 'Cloud SaaS Provider', riskTier: 'high', dataAccess: ['PII', 'financial'] }, questionnaireType: 'SIG-Core', deadline: '2024-03-15' } }