vendor-management
npx machina-cli add skill BagelHole/DevOps-Security-Agent-Skills/vendor-management --openclawFiles (1)
SKILL.md
1.5 KB
Vendor Management
Manage third-party vendor security risks.
Vendor Assessment
assessment_process:
1_identify:
- Catalog all vendors
- Classify by risk tier
2_assess:
- Security questionnaire
- SOC 2 review
- Penetration test results
3_contract:
- Security requirements
- Data processing agreement
- SLAs
4_monitor:
- Continuous monitoring
- Annual reassessment
- Incident notification
Risk Tiers
| Tier | Criteria | Assessment |
|---|---|---|
| Critical | Access to sensitive data | Full assessment, annual |
| High | Significant data access | Questionnaire + SOC 2 |
| Medium | Limited data access | Security questionnaire |
| Low | No data access | Basic due diligence |
Security Questionnaire
categories:
governance:
- Security policies
- Risk management
- Compliance certifications
technical:
- Access controls
- Encryption
- Vulnerability management
operational:
- Incident response
- Business continuity
- Change management
Best Practices
- Tier-based assessments
- Regular reassessment
- Contract security terms
- Incident notification requirements
- Exit strategy planning
Source
git clone https://github.com/BagelHole/DevOps-Security-Agent-Skills/blob/main/compliance/governance/vendor-management/SKILL.mdView on GitHub Overview
This skill helps you manage third-party vendor security risks by building a formal assessment process, maintaining a vendor inventory, and enforcing security requirements across contracts. It emphasizes tiered risk assessments, ongoing monitoring, and incident notifications to protect data and operations.
How This Skill Works
A vendor-management program catalogs all vendors, classifies them by risk tier, and runs assessments (security questionnaires, SOC 2 reviews, and penetration tests). It then codifies security requirements in contracts, data processing agreements, and SLAs, and implements continuous monitoring with annual reassessment and incident-notification processes.
When to Use It
- Onboarding a new vendor with access to sensitive data
- Reassessing high- or critical-risk vendors using questionnaires, SOC 2, and pen tests
- Contracting with vendors to include security terms, DPAs, and SLAs
- Setting up ongoing monitoring and annual reassessment cycles
- Responding to a vendor security incident or planning an exit strategy
Quick Start
- Step 1: Catalog all vendors and classify them by risk tier
- Step 2: Conduct security assessments (questionnaire, SOC 2, pen tests) and set contract terms (security requirements, DPA, SLAs)
- Step 3: Establish ongoing monitoring, annual reassessment, and incident-notification processes
Best Practices
- Tier-based assessments
- Regular reassessment
- Contract security terms
- Incident notification requirements
- Exit strategy planning
Example Use Cases
- Catalog all vendors and assign risk tiers to prioritize assessments
- Run security questionnaires and review SOC 2 reports for a critical vendor
- Add security requirements, a data processing agreement, and SLAs to vendor contracts
- Enable continuous vendor monitoring and conduct annual reassessments
- Prepare an exit plan and termination procedures for a vendor
Frequently Asked Questions
Add this skill to your agents
