vendor-security-questionnaire
// Automated vendor security assessment through questionnaire generation, response parsing, and risk scoring
$ git log --oneline --stat
stars:384
forks:73
updated:March 4, 2026
SKILL.mdreadonly
SKILL.md Frontmatter
namevendor-security-questionnaire
descriptionAutomated vendor security assessment through questionnaire generation, response parsing, and risk scoring
allowed-toolsBash,Read,Write,Glob,Grep,WebFetch
Vendor Security Questionnaire Skill
Purpose
Automate vendor security assessment through standardized questionnaire generation, response parsing, security posture scoring, and risk report generation for third-party risk management programs.
Capabilities
Questionnaire Generation
- Generate industry-standard security questionnaires
- Create SIG (Standardized Information Gathering) questionnaires
- Build CAIQ (Consensus Assessment Initiative Questionnaire) forms
- Generate custom questionnaires based on risk tier
- Create vendor-type-specific assessments
- Support multiple response formats
Response Parsing and Analysis
- Parse questionnaire responses from various formats
- Extract key security control information
- Identify missing or incomplete responses
- Flag concerning answers for review
- Compare responses against requirements
- Validate evidence attachments
Security Posture Scoring
- Calculate vendor security scores
- Weight scores by control importance
- Compare against industry benchmarks
- Track score trends over time
- Generate risk-adjusted ratings
- Identify score improvement areas
Assessment Status Tracking
- Track assessment workflow status
- Monitor response deadlines
- Send automated reminders
- Escalate overdue assessments
- Maintain assessment history
- Archive completed assessments
Risk Report Generation
- Generate executive risk summaries
- Create detailed technical reports
- Produce comparison reports
- Build risk heat maps
- Generate board-level dashboards
- Export data for GRC systems
Vendor Compliance Monitoring
- Track vendor compliance commitments
- Monitor remediation progress
- Verify evidence of compliance
- Alert on compliance drift
- Schedule periodic reassessments
- Maintain compliance documentation
Questionnaire Standards
| Standard | Use Case | Questions |
|---|---|---|
| SIG Lite | Low-risk vendors | ~100 |
| SIG Core | Medium-risk vendors | ~300 |
| SIG Full | High-risk vendors | ~800+ |
| CAIQ | Cloud providers | ~300 |
| VSAQ | General vendors | Variable |
| Custom | Specific needs | Variable |
Assessment Domains
- Information Security Management
- Access Control
- Data Protection
- Network Security
- Application Security
- Physical Security
- Business Continuity
- Incident Response
- Compliance and Legal
- Third-Party Management
Integrations
- OneTrust: Third-party risk management
- ProcessUnity: Vendor risk management
- SecurityScorecard: Security ratings
- BitSight: Security ratings and benchmarks
- Prevalent: Third-party risk intelligence
- Shared Assessments: SIG questionnaire tools
Target Processes
- Third-Party Vendor Security Assessment
- Vendor Onboarding Security Review
- Annual Vendor Reassessment
- Vendor Risk Management
Input Schema
{
"type": "object",
"properties": {
"operation": {
"type": "string",
"enum": ["generate", "parse", "score", "report", "track"],
"description": "Questionnaire operation type"
},
"vendorInfo": {
"type": "object",
"properties": {
"vendorName": { "type": "string" },
"vendorId": { "type": "string" },
"vendorType": { "type": "string" },
"riskTier": { "type": "string", "enum": ["critical", "high", "medium", "low"] },
"dataAccess": { "type": "array", "items": { "type": "string" } }
}
},
"questionnaireType": {
"type": "string",
"enum": ["SIG-Lite", "SIG-Core", "SIG-Full", "CAIQ", "VSAQ", "custom"],
"description": "Questionnaire standard to use"
},
"customDomains": {
"type": "array",
"items": { "type": "string" },
"description": "Specific domains to assess"
},
"responseFile": {
"type": "string",
"description": "Path to questionnaire response file"
},
"scoringCriteria": {
"type": "object",
"properties": {
"minimumScore": { "type": "number" },
"criticalControls": { "type": "array" },
"weightings": { "type": "object" }
}
},
"deadline": {
"type": "string",
"format": "date",
"description": "Assessment completion deadline"
}
},
"required": ["operation"]
}
Output Schema
{
"type": "object",
"properties": {
"assessmentId": {
"type": "string"
},
"operation": {
"type": "string"
},
"timestamp": {
"type": "string",
"format": "date-time"
},
"vendorInfo": {
"type": "object"
},
"questionnaire": {
"type": "object",
"properties": {
"type": { "type": "string" },
"totalQuestions": { "type": "integer" },
"domains": { "type": "array" },
"filePath": { "type": "string" }
}
},
"responseAnalysis": {
"type": "object",
"properties": {
"questionsAnswered": { "type": "integer" },
"questionsSkipped": { "type": "integer" },
"evidenceProvided": { "type": "integer" },
"concerningResponses": { "type": "array" },
"missingInformation": { "type": "array" }
}
},
"securityScore": {
"type": "object",
"properties": {
"overallScore": { "type": "number" },
"riskRating": { "type": "string", "enum": ["low", "medium", "high", "critical"] },
"domainScores": {
"type": "array",
"items": {
"type": "object",
"properties": {
"domain": { "type": "string" },
"score": { "type": "number" },
"findings": { "type": "array" }
}
}
},
"benchmarkComparison": { "type": "object" },
"scoreHistory": { "type": "array" }
}
},
"riskFindings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"findingId": { "type": "string" },
"domain": { "type": "string" },
"severity": { "type": "string" },
"description": { "type": "string" },
"recommendation": { "type": "string" }
}
}
},
"assessmentStatus": {
"type": "object",
"properties": {
"status": { "type": "string" },
"deadline": { "type": "string" },
"daysRemaining": { "type": "integer" },
"remindersent": { "type": "boolean" }
}
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
},
"reportPath": {
"type": "string"
}
}
}
Usage Example
skill: {
name: 'vendor-security-questionnaire',
context: {
operation: 'generate',
vendorInfo: {
vendorName: 'Cloud SaaS Provider',
riskTier: 'high',
dataAccess: ['PII', 'financial']
},
questionnaireType: 'SIG-Core',
deadline: '2024-03-15'
}
}