vendor-management
Originally fromanthropics/knowledge-work-plugins
Installation
SKILL.md
Vendor Management
Implement a vendor risk management program covering vendor assessment questionnaires, risk scoring, contract tracking, SLA monitoring, and ongoing oversight for compliance with SOC 2, ISO 27001, and regulatory frameworks.
When to Use
- Onboarding new vendors that will access company data or systems
- Conducting annual vendor risk assessments and reassessments
- Negotiating security requirements in vendor contracts
- Monitoring vendor SLA compliance and security posture
- Preparing vendor management evidence for SOC 2 or ISO 27001 audits
Vendor Risk Tiering
vendor_risk_tiers:
critical:
criteria:
- Processes or stores sensitive/regulated data (PII, PHI, PCI)
- Single point of failure (no alternative vendor)
- Has privileged access to production systems
- Handles authentication or security-critical functions
assessment_requirements:
- Full security questionnaire (SIG or custom)
- SOC 2 Type II report review (or equivalent)
- Penetration test results review
- On-site or virtual security assessment (optional)
- Business continuity and DR plan review
review_frequency: Annual
contract_requirements:
- Data processing agreement (DPA)
- Business associate agreement (BAA) if PHI
- Security SLA with breach notification timeline
- Right to audit clause
- Cyber insurance requirements
examples:
- Cloud infrastructure providers (AWS, Azure, GCP)
- Identity providers (Okta, Azure AD)
- Payment processors (Stripe, Adyen)
- Primary database or CRM SaaS
high:
criteria:
- Accesses significant company data (internal or confidential)
- Integrates with production systems via API
- Processes customer-facing transactions
- Substitution would cause significant business disruption
assessment_requirements:
- Security questionnaire
- SOC 2 report review (Type I or Type II)
- Compliance certifications verified
review_frequency: Annual
contract_requirements:
- Data processing agreement
- Security requirements appendix
- Incident notification clause (72 hours)
examples:
- Email/marketing platforms (SendGrid, HubSpot)
- Monitoring and logging SaaS (Datadog, Splunk)
- CI/CD platforms (GitHub, GitLab)
- Customer support platforms
medium:
criteria:
- Limited data access (internal data only)
- Non-production system integration
- Some business impact if unavailable
assessment_requirements:
- Abbreviated security questionnaire
- Compliance certification verification
review_frequency: Every 2 years
contract_requirements:
- Standard vendor terms with security clause
- NDA
examples:
- Project management tools
- HR platforms
- Travel and expense systems
low:
criteria:
- No access to company data
- No system integration
- Easily replaceable
assessment_requirements:
- Basic due diligence (public info review)
- Confirm no data sharing
review_frequency: Every 3 years or on renewal
contract_requirements:
- Standard terms
examples:
- Office supply vendors
- Facilities services
- General consulting (no data access)
Vendor Assessment Questionnaire
security_questionnaire:
section_1_governance:
questions:
- "Do you have a documented information security policy?"
- "Is there a designated CISO or security lead?"
- "Do you conduct annual security risk assessments?"
- "Do you have a security awareness training program?"
- "What compliance certifications do you hold? (SOC 2, ISO 27001, etc.)"
- "When was your last external security audit?"
- "Do you carry cyber liability insurance? What coverage limits?"
evidence_requested:
- Information security policy (or summary)
- SOC 2 Type II report (or bridge letter)
- ISO 27001 certificate
- Cyber insurance certificate
section_2_access_control:
questions:
- "How do you manage user access to systems containing our data?"
- "Is multi-factor authentication enforced for all personnel?"
- "How frequently do you conduct access reviews?"
- "What is your process for revoking access upon employee termination?"
- "Do you support SSO/SAML integration for customer access?"
- "How do you manage privileged access?"
evidence_requested:
- Access management policy
- MFA configuration documentation
- Access review records (sample)
section_3_data_protection:
questions:
- "How is our data encrypted at rest?"
- "How is our data encrypted in transit?"
- "In which geographic regions is our data stored?"
- "Do you use sub-processors? If so, provide a list."
- "What is your data retention policy?"
- "How is our data isolated from other customers? (multi-tenancy model)"
- "Can you provide data export in standard formats upon request?"
- "What is your data destruction process at contract end?"
evidence_requested:
- Encryption standards documentation
- Sub-processor list
- Data flow diagram showing customer data handling
section_4_vulnerability_management:
questions:
- "How frequently do you perform vulnerability scans?"
- "How frequently do you conduct penetration tests?"
- "What is your patch management SLA for critical vulnerabilities?"
- "Do you have a responsible disclosure or bug bounty program?"
- "How do you manage vulnerabilities in third-party dependencies?"
evidence_requested:
- Penetration test executive summary (last 12 months)
- Vulnerability management policy
- Patch management SLA documentation
section_5_incident_response:
questions:
- "Do you have a documented incident response plan?"
- "What is your breach notification timeline?"
- "Have you experienced a data breach in the last 3 years?"
- "How would you notify us in the event of a security incident?"
- "Do you conduct incident response tabletop exercises?"
evidence_requested:
- Incident response plan summary
- Breach notification procedure
section_6_business_continuity:
questions:
- "Do you have a business continuity plan?"
- "Do you have a disaster recovery plan?"
- "What are your RTO and RPO targets?"
- "How frequently do you test your DR plan?"
- "What is your uptime SLA?"
- "Do you have geographic redundancy?"
evidence_requested:
- BCP/DR plan summary
- Uptime SLA documentation
- Most recent DR test results
section_7_compliance:
questions:
- "Do you process data subject to GDPR, HIPAA, or PCI DSS?"
- "How do you support our compliance obligations?"
- "Do you have a Data Processing Agreement (DPA) template?"
- "How do you handle data subject access requests (DSARs)?"
- "Are you FedRAMP authorized? If so, at what impact level?"
evidence_requested:
- DPA template
- Compliance certification documentation
Risk Scoring Model
risk_scoring:
dimensions:
data_sensitivity:
weight: 30
scores:
1: "No access to company or customer data"
2: "Access to public or non-sensitive internal data"
3: "Access to internal confidential data"
4: "Access to PII or customer financial data"
5: "Access to regulated data (PHI, PCI, classified)"
system_access:
weight: 25
scores:
1: "No system access"
2: "Read-only access to non-production"
3: "Read/write access to non-production or read-only production"
4: "Read/write access to production systems"
5: "Privileged/admin access to production or security systems"
business_criticality:
weight: 20
scores:
1: "No operational dependency"
2: "Minor convenience; easily replaced"
3: "Moderate dependency; replacement in weeks"
4: "Significant dependency; replacement in months"
5: "Critical dependency; no viable alternative"
security_posture:
weight: 15
scores:
5: "No certifications, no formal security program"
4: "Some security controls but no external validation"
3: "SOC 2 Type I or equivalent"
2: "SOC 2 Type II within last 12 months"
1: "Multiple certifications (SOC 2 + ISO 27001), strong program"
regulatory_exposure:
weight: 10
scores:
1: "No regulatory requirements"
2: "General data protection (GDPR basic)"
3: "Industry-specific (HIPAA, PCI)"
4: "Government (FedRAMP, ITAR)"
5: "Multiple stringent regulations"
calculation:
formula: "Sum of (dimension_score * dimension_weight) / 100"
risk_levels:
low: "Score 1.0 - 2.0"
medium: "Score 2.1 - 3.0"
high: "Score 3.1 - 4.0"
critical: "Score 4.1 - 5.0"
example:
vendor: "Payment Processor X"
data_sensitivity: 5 # PCI data
system_access: 4 # Production API integration
business_criticality: 5 # No alternative
security_posture: 2 # SOC 2 Type II
regulatory_exposure: 3 # PCI DSS
score: "(5*30 + 4*25 + 5*20 + 2*15 + 3*10) / 100 = 4.1 -> Critical"
Vendor Registry and Contract Tracking
vendor_registry_schema:
vendor_info:
vendor_id: "VND-NNNN"
vendor_name: ""
vendor_website: ""
primary_contact_email: ""
security_contact_email: ""
vendor_category: "" # SaaS, IaaS, Consulting, etc.
risk_assessment:
risk_tier: "" # critical, high, medium, low
risk_score: 0.0
last_assessment_date: ""
next_assessment_date: ""
assessment_status: "" # current, due, overdue
open_findings: 0
certifications:
- type: "SOC 2 Type II"
valid_until: ""
report_on_file: true
- type: "ISO 27001"
valid_until: ""
certificate_on_file: true
contract:
contract_id: ""
start_date: ""
end_date: ""
auto_renewal: true
cancellation_notice_days: 90
annual_value: 0
terms:
data_processing_agreement: true
nda: true
baa: false
right_to_audit: true
breach_notification_sla: "72 hours"
data_return_clause: true
data_destruction_clause: true
cyber_insurance_required: true
data_access:
data_types: []
data_classification: ""
data_location: []
sub_processors: []
sla_tracking:
uptime_sla: "99.9%"
actual_uptime_last_month: ""
support_response_sla: ""
sla_breaches_ytd: 0
status: "" # active, under_review, offboarding, inactive
owner: "" # Internal team/person responsible
SLA Monitoring
"""
Vendor SLA monitoring - Track uptime and response time commitments.
"""
import requests
from datetime import datetime, timezone
class VendorSLAMonitor:
def __init__(self, vendors_config):
self.vendors = vendors_config
def check_uptime(self, vendor):
"""Check vendor service availability."""
results = []
for endpoint in vendor.get("health_endpoints", []):
try:
resp = requests.get(
endpoint["url"],
timeout=endpoint.get("timeout", 10),
headers=endpoint.get("headers", {}),
)
results.append({
"endpoint": endpoint["url"],
"status": resp.status_code,
"response_time_ms": resp.elapsed.total_seconds() * 1000,
"healthy": resp.status_code == endpoint.get("expected_status", 200),
"timestamp": datetime.now(timezone.utc).isoformat(),
})
except requests.RequestException as e:
results.append({
"endpoint": endpoint["url"],
"status": "error",
"error": str(e),
"healthy": False,
"timestamp": datetime.now(timezone.utc).isoformat(),
})
return results
def check_status_page(self, vendor):
"""Check vendor status page for active incidents."""
status_url = vendor.get("status_page_url")
if not status_url:
return None
try:
api_url = f"{status_url}/api/v2/summary.json"
resp = requests.get(api_url, timeout=10)
data = resp.json()
return {
"vendor": vendor["name"],
"status": data.get("status", {}).get("indicator", "unknown"),
"active_incidents": len(data.get("incidents", [])),
"components": [
{"name": c["name"], "status": c["status"]}
for c in data.get("components", [])
],
}
except Exception:
return {"vendor": vendor["name"], "status": "unknown"}
def generate_sla_report(self, vendor_name, monthly_checks):
"""Calculate monthly SLA compliance."""
total = len(monthly_checks)
healthy = sum(1 for c in monthly_checks if c.get("healthy"))
uptime_pct = (healthy / total * 100) if total > 0 else 0
avg_response = (
sum(c.get("response_time_ms", 0) for c in monthly_checks if c.get("healthy"))
/ max(healthy, 1)
)
return {
"vendor": vendor_name,
"period": datetime.now(timezone.utc).strftime("%Y-%m"),
"total_checks": total,
"healthy_checks": healthy,
"uptime_percentage": round(uptime_pct, 3),
"avg_response_time_ms": round(avg_response, 1),
"sla_met": uptime_pct >= 99.9,
}
Vendor Lifecycle Management
vendor_lifecycle:
onboarding:
step_1_request:
- Business owner submits vendor request with use case
- Procurement assigns vendor ID
- Initial risk tier assessment based on data access and criticality
step_2_assess:
- Send security questionnaire (appropriate to tier)
- Review compliance certifications
- Evaluate questionnaire responses
- Score vendor risk
step_3_contract:
- Negotiate security requirements based on risk tier
- Execute DPA/BAA as required
- Document data flows and access scope
- Set SLA expectations
step_4_provision:
- Configure integration with least privilege access
- Enable audit logging for vendor access
- Add to vendor registry
- Schedule first reassessment
ongoing_management:
monitoring:
- Track SLA compliance monthly
- Monitor vendor status pages for incidents
- Review vendor security advisories
- Track data sub-processor changes
reassessment:
- Conduct reassessment per tier schedule
- Review updated SOC 2 / ISO 27001 reports
- Verify certifications are current
- Update risk score
offboarding:
step_1_plan:
- Data migration or transition to replacement vendor
- Identify all integrations and access points
- Communication plan for stakeholders
step_2_execute:
- Revoke all API keys, credentials, and access
- Request data return or destruction certificate
- Remove vendor integrations from systems
- Disable SSO/SAML connections
step_3_verify:
- Confirm data destruction (written certification)
- Verify all access revoked
- Update vendor registry status to inactive
- Archive vendor records for retention period
Vendor Management Checklist
vendor_management_checklist:
program_setup:
- [ ] Vendor risk tiering criteria defined
- [ ] Security questionnaire template created
- [ ] Risk scoring model documented
- [ ] Vendor registry established
- [ ] Onboarding and offboarding procedures documented
- [ ] Contract security requirements defined per tier
ongoing_operations:
- [ ] All active vendors cataloged in registry
- [ ] Risk tier assigned to each vendor
- [ ] Security assessments current (per tier schedule)
- [ ] Compliance certifications on file and not expired
- [ ] DPAs/BAAs signed for all vendors handling personal data
- [ ] SLA monitoring active for critical and high-tier vendors
- [ ] Sub-processor lists reviewed and tracked
- [ ] Vendor security incidents tracked and assessed
governance:
- [ ] Vendor management policy approved and published
- [ ] Roles and responsibilities assigned (owner per vendor)
- [ ] Assessment findings tracked to remediation
- [ ] Vendor risk reported to management quarterly
- [ ] Offboarding includes data destruction verification
- [ ] Evidence retained for compliance audit (3+ years)
Best Practices
- Tier vendors by risk before investing assessment effort: not every vendor needs a full security review
- Use standardized questionnaires (SIG, CAIQ, or consistent custom template) for comparable assessments
- Review SOC 2 Type II reports thoroughly, including complementary user entity controls
- Include right-to-audit clauses in contracts for critical vendors even if you do not exercise them frequently
- Monitor vendor status pages and set up alerts for outages affecting your services
- Track sub-processor changes: your vendor's vendor is part of your supply chain risk
- Maintain a vendor registry as a single source of truth for all vendor relationships
- Conduct offboarding rigorously: revoke all access and obtain data destruction certificates
- Score vendor risk quantitatively to enable consistent prioritization and trend analysis
- Report vendor risk metrics to management quarterly as part of the overall risk management program
Weekly Installs
32
Repository
bagelhole/devop…t-skillsGitHub Stars
18
First Seen
5 days ago
Security Audits