npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- When assessing a new vendor before onboarding, especially one that will handle sensitive data, connect to your network, or be embedded in a critical process.
- When standing up or maturing a third-party risk management (TPRM) program and you need a repeatable tiering + assessment workflow.
- When tiering an existing vendor portfolio so effort matches risk.
- When reviewing vendor evidence — a SOC 2 Type II report, ISO 27001 certificate, CAIQ, or pen-test summary — and you need to know what to look for.
- When writing security and privacy requirements into a contract / DPA, including breach-notification SLAs and right-to-audit.
- When a vendor (or their subcontractor) suffers a breach and you must assess exposure.
- When managing software supply-chain and Nth-party (fourth-party and beyond) risk.
Prerequisites
- A vendor inventory (who you use, for what, and what data/access each has).
- A defined risk-tiering model (criteria and thresholds) agreed with the business.
- Access to standardized questionnaires (Shared Assessments SIG, CSA CAIQ) and a way to collect evidence.
- Clarity on your own regulatory obligations that flow down to vendors (e.g., HIPAA BAAs, CMMC flowdown, GDPR processor terms, PCI).
- Stakeholders identified: procurement, legal, security, data owner, and the business sponsor.
Workflow
1. Inventory and classify vendors
Catalog every third party and capture: data sensitivity handled, type of access (network, physical, none), business criticality, and regulatory scope. You cannot manage what you have not inventoried — shadow vendors are a common blind spot.
2. Tier by inherent risk
Score each vendor on inherent-risk factors (data sensitivity, access, criticality, regulatory scope, spend/concentration) and assign a tier (e.g., Critical / High / Moderate / Low). The tier drives how deep the assessment goes and how often you reassess. A payroll processor with PII and system access is not the same risk as a stock-photo subscription.
3. Run tier-appropriate due diligence
- Critical/High: full SIG (or SIG Core), request SOC 2 Type II and/or ISO 27001, recent pen-test summary, and evidence of an incident-response capability. Consider an assessor call.
- Moderate: SIG Lite or CAIQ, plus key attestations.
- Low: lightweight questionnaire / self-attestation.
4. Review evidence critically
Don't just collect — read:
- SOC 2 Type II: check scope, the Trust Services Criteria covered, the audit period (not just the date), and especially the exceptions/deviations and any qualified opinion. A clean cover page can hide noted exceptions.
- ISO 27001: confirm the scope statement and the Statement of Applicability actually cover the service you're buying.
- CAIQ: look for "no" answers and CCM domains left blank.
- Pen-test: age, scope, and whether highs/criticals were remediated.
5. Identify gaps and decide
Compare findings against your control requirements. For each gap: accept, require remediation (with a date), add a compensating control on your side, or walk away. Record the residual risk and a risk-owner decision.
6. Codify in the contract / DPA
Bake requirements into the agreement: security control obligations, breach-notification timeline, data-handling and return/destruction terms, right-to-audit / right to assessment evidence, subcontractor (Nth-party) flowdown, and liability/insurance. Contracts are where TPRM gets teeth.
7. Monitor continuously
Tiering is not a one-time gate. For higher tiers: periodic reassessment, security-ratings feeds, breach/news monitoring, certificate-expiry tracking, and watching for material changes (acquisition, region change, new subprocessors). Re-tier on change.
8. Manage Nth-party and concentration risk
Map critical fourth parties (your vendor's key subprocessors) and watch for concentration (many vendors riding on the same upstream provider) — a single upstream outage or breach can hit your whole portfolio at once.
9. Offboard securely
On termination: revoke access and credentials, confirm data return or certified destruction, remove integrations/API keys, and update the inventory. Un-offboarded vendors are standing risk.
Key Concepts
| Concept | Definition |
|---|---|
| Inherent risk | Risk a vendor poses before controls — drives tiering. |
| Residual risk | Risk remaining after the vendor's (and your) controls. |
| Vendor tier | Risk band (Critical/High/Moderate/Low) setting assessment depth and cadence. |
| SIG | Shared Assessments Standardized Information Gathering questionnaire (full / Lite / Core). |
| CAIQ | CSA Consensus Assessments Initiative Questionnaire (maps to the Cloud Controls Matrix). |
| SOC 2 Type II | Attestation on control design and operating effectiveness over a period. |
| Right to audit | Contractual right to assess the vendor or obtain assessment evidence. |
| Nth-party / fourth-party | Your vendor's vendors (and beyond) — indirect supply-chain risk. |
| Concentration risk | Many vendors depending on the same upstream provider. |
| C-SCRM | Cybersecurity Supply Chain Risk Management (NIST SP 800-161). |
Tools & Systems
- NIST SP 800-161 Rev 1 — Cybersecurity Supply Chain Risk Management practices.
- NIST CSF 2.0 — GV.SC — the supply-chain risk-management category (program backbone).
- Shared Assessments SIG and CSA CAIQ / STAR registry — standardized questionnaires.
- SOC 2 / ISO 27001 / PCI AOC / pen-test reports — vendor evidence.
- Security-ratings services (e.g., BitSight/SecurityScorecard-style) — continuous external signal.
- TPRM platforms — OneTrust, ProcessUnity, Prevalent, ServiceNow VRM, etc., to manage the workflow and inventory.
- GDPR DPA / HIPAA BAA / CMMC flowdown — regulatory contract instruments.
Common Scenarios
- New SaaS onboarding. Tier it, send the right questionnaire, read the SOC 2 exceptions, set contract terms, then approve with documented residual risk.
- Portfolio has 400 vendors, no tiers. Tier first; concentrate assessment effort on the Critical/High tail rather than spreading thin.
- Vendor breach in the news. Pull the vendor record, assess data/access exposure, invoke the breach-notification clause, and require a post-incident report.
- Auditor asks for your TPRM program. Show the tiering model, the assessment cadence, and evidence of continuous monitoring mapped to GV.SC.
- Critical fourth party identified. Document the dependency and the concentration risk; build a contingency for that upstream provider.
Output Format
Produce a Vendor Risk Assessment using assets/template.md, containing:
- Vendor profile — service, data handled, access type, business criticality, regulatory scope.
- Inherent-risk tier — score and resulting tier, with rationale.
- Due-diligence performed — questionnaire used and evidence collected (SOC 2 period, ISO scope, pen-test age).
- Findings — gaps with severity, including notable SOC 2 exceptions.
- Decision & residual risk — approve/conditional/reject, with risk-owner sign-off.
- Contractual requirements — security terms, breach SLA, right-to-audit, subprocessor flowdown.
- Monitoring & reassessment plan — cadence, signals watched, re-tier triggers.
- Nth-party notes — critical subprocessors and concentration risk.
Use scripts/process.py to compute a vendor's inherent-risk tier from a profile JSON, set the assessment depth and reassessment cadence, and flag missing evidence for the assigned tier.
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
standards.md4.3 KB
Third-Party / Vendor Risk Management — Standards & Reference
Primary standards & frameworks
| Source | Role |
|---|---|
| NIST SP 800-161 Rev 1 (May 2022) | Cybersecurity Supply Chain Risk Management (C-SCRM) practices for systems and organizations. URL: https://csrc.nist.gov/pubs/sp/800/161/r1/final |
| NIST CSF 2.0 — GV.SC | The Cybersecurity Supply Chain Risk Management category; the governance backbone for a TPRM program. |
| NIST SP 800-37 / 800-53 (SR family) | Supply Chain Risk Management controls (SR-x) within the broader control catalog. |
| ISO/IEC 27036 | Information security for supplier relationships. |
| Shared Assessments | SIG questionnaire + Third Party Risk Management framework. |
| CSA CAIQ / Cloud Controls Matrix (CCM) / STAR | Cloud-vendor self-assessment and registry. |
NIST CSF 2.0 — GV.SC subcategories (selected)
| ID | Outcome |
|---|---|
| GV.SC-01 | A cyber supply-chain risk-management program/strategy is established and agreed. |
| GV.SC-03 | Supply-chain risk management is integrated into cybersecurity and ERM. |
| GV.SC-04 | Suppliers are known and prioritized by criticality. |
| GV.SC-05 | Requirements to address supply-chain risk are established in contracts. |
| GV.SC-06 | Due diligence is performed to reduce risk before entering relationships. |
| GV.SC-07 | Supplier risks are understood, monitored, and managed over the relationship. |
| GV.SC-08 | Suppliers are included in incident planning, response, and recovery. |
| GV.SC-10 | Supply-chain risk is managed through to relationship termination. |
Vendor tiering — typical inherent-risk factors
- Data sensitivity handled (regulated PII/PHI/CHD, IP, none).
- Access type (network/system access, physical access, none).
- Business criticality (would an outage stop operations?).
- Regulatory scope (HIPAA, PCI, GDPR, CMMC flowdown).
- Integration depth (API/identity federation vs standalone).
- Concentration / spend (single-source, large dependency).
Tiers commonly: Critical / High / Moderate / Low — each mapped to an assessment depth and a reassessment cadence.
Due-diligence instruments
| Instrument | What it is |
|---|---|
| SIG (Full / Core / Lite) | Shared Assessments standardized questionnaire; depth scales with tier. |
| CAIQ | CSA questionnaire mapped to the Cloud Controls Matrix. |
| SOC 2 Type II | AICPA attestation on control design and operating effectiveness over a period (Trust Services Criteria: Security required; Availability, Confidentiality, Processing Integrity, Privacy optional). |
| SOC 2 Type I | Design only, at a point in time (weaker assurance than Type II). |
| ISO/IEC 27001 certificate + SoA | Certified ISMS; check the scope statement covers the purchased service. |
| Penetration-test summary | Independent testing; check age, scope, and remediation of highs/criticals. |
| PCI AOC | Attestation of Compliance for card-data handlers. |
Reading a SOC 2 critically
- Confirm the report type (II > I) and the audit period length.
- Check the scope / system description matches the service you buy.
- Read the exceptions / deviations and the auditor's opinion (unqualified vs qualified).
- Review complementary user-entity controls (CUECs) — what the vendor expects you to do.
- Note the subservice organizations (their critical fourth parties).
Contractual security terms to require
- Security control obligations (map to your baseline).
- Breach-notification timeline (e.g., notify within X hours of discovery).
- Data handling, location, and return/certified destruction on exit.
- Right to audit or to receive current assessment evidence.
- Subcontractor (Nth-party) flowdown and prior-approval of new subprocessors.
- Liability, indemnity, and cyber-insurance requirements.
- Regulatory instruments: DPA (GDPR), BAA (HIPAA), CMMC flowdown.
Continuous monitoring signals
Security-ratings feeds, breach/news monitoring, certificate/attestation expiry, new subprocessor notices, ownership/region changes, and periodic re-questionnaire on cadence by tier.
Nth-party & concentration risk
- Fourth-party = your vendor's vendors; map the critical ones.
- Concentration risk = many vendors depending on the same upstream (e.g., one cloud region or one auth provider) — a single upstream failure can be systemic.
Scripts 1
process.py8.5 KB
#!/usr/bin/env python3
"""
Third-party vendor inherent-risk tiering and evidence-gap checker.
Scores a vendor's inherent risk from a profile, assigns a tier
(Critical/High/Moderate/Low), sets the assessment depth and reassessment
cadence for that tier, and flags evidence that is missing or stale for the
assigned tier.
Input JSON shape:
{
"vendor": {"name": "PayWorks", "service": "Payroll processing"},
"profile": {
"data_sensitivity": "regulated", # regulated | confidential | internal | public
"access": "system", # system | network | physical | none
"criticality": "high", # high | medium | low
"regulated_scope": ["PII"], # list; non-empty raises risk
"integration": "deep", # deep | moderate | none
"concentration": true # single-source / large dependency
},
"evidence": { # OPTIONAL; what you have on file
"sig": "core", # full | core | lite | caiq | none
"soc2_type": "II", # II | I | none
"soc2_period_months": 12,
"iso27001": true,
"pentest_age_months": 8
}
}
Usage:
python process.py --input vendor.json [--output assessment.md]
python process.py --input vendor.json --fail-on-evidence-gap
"""
import argparse
import json
import sys
# inherent-risk points per factor
DATA_POINTS = {"regulated": 4, "confidential": 3, "internal": 1, "public": 0}
ACCESS_POINTS = {"system": 4, "network": 3, "physical": 2, "none": 0}
CRIT_POINTS = {"high": 4, "medium": 2, "low": 1}
INTEG_POINTS = {"deep": 2, "moderate": 1, "none": 0}
# tier thresholds on total inherent score (max ~17)
def tier_for(score):
if score >= 13:
return "Critical"
if score >= 9:
return "High"
if score >= 5:
return "Moderate"
return "Low"
# per-tier expectations
TIER_PLAYBOOK = {
"Critical": {
"depth": "Full SIG + SOC 2 Type II (12-month period) + ISO 27001 + recent pen-test + assessor call",
"cadence": "Reassess annually; continuous security-ratings monitoring",
"require": {"sig": ("full", "core"), "soc2_type": ("II",), "iso27001": True, "pentest_max_months": 12},
},
"High": {
"depth": "SIG Core + SOC 2 Type II + pen-test summary",
"cadence": "Reassess annually",
"require": {"sig": ("full", "core"), "soc2_type": ("II",), "iso27001": False, "pentest_max_months": 18},
},
"Moderate": {
"depth": "SIG Lite or CAIQ + key attestations",
"cadence": "Reassess every 2 years",
"require": {"sig": ("full", "core", "lite", "caiq"), "soc2_type": ("II", "I"), "iso27001": False, "pentest_max_months": None},
},
"Low": {
"depth": "Lightweight questionnaire / self-attestation",
"cadence": "Reassess every 3 years or on change",
"require": {"sig": ("full", "core", "lite", "caiq", "none"), "soc2_type": ("II", "I", "none"), "iso27001": False, "pentest_max_months": None},
},
}
def score_inherent(p):
breakdown = {}
breakdown["data_sensitivity"] = DATA_POINTS.get(p.get("data_sensitivity", "internal"), 1)
breakdown["access"] = ACCESS_POINTS.get(p.get("access", "none"), 0)
breakdown["criticality"] = CRIT_POINTS.get(p.get("criticality", "low"), 1)
breakdown["integration"] = INTEG_POINTS.get(p.get("integration", "none"), 0)
breakdown["regulated_scope"] = 2 if p.get("regulated_scope") else 0
breakdown["concentration"] = 1 if p.get("concentration") else 0
total = sum(breakdown.values())
return total, breakdown
def check_evidence(tier, ev):
req = TIER_PLAYBOOK[tier]["require"]
gaps = []
sig = (ev.get("sig") or "none").lower()
if sig not in req["sig"]:
gaps.append(f"Questionnaire '{sig}' insufficient for {tier} (need one of {', '.join(req['sig'])})")
soc = (ev.get("soc2_type") or "none")
if soc not in req["soc2_type"]:
gaps.append(f"SOC 2 type '{soc}' insufficient for {tier} (need {', '.join(req['soc2_type'])})")
if soc == "II" and ev.get("soc2_period_months", 0) < 6:
gaps.append("SOC 2 Type II period under 6 months - limited operating-effectiveness assurance")
if req["iso27001"] and not ev.get("iso27001"):
gaps.append(f"ISO 27001 certificate expected for {tier}")
pmax = req["pentest_max_months"]
if pmax is not None:
age = ev.get("pentest_age_months")
if age is None:
gaps.append(f"No pen-test on file (expected within {pmax} months for {tier})")
elif age > pmax:
gaps.append(f"Pen-test is {age} months old (>{pmax} for {tier}) - request a current test")
return gaps
def render(data):
vendor = data.get("vendor", {})
profile = data.get("profile", {})
evidence = data.get("evidence", {})
if not profile:
raise ValueError("profile is required to tier the vendor")
total, breakdown = score_inherent(profile)
tier = tier_for(total)
play = TIER_PLAYBOOK[tier]
gaps = check_evidence(tier, evidence) if evidence else ["No evidence provided - collect tier-appropriate evidence"]
lines = []
lines.append(f"# Vendor Risk Assessment - {vendor.get('name','Vendor')}")
lines.append("")
if vendor.get("service"):
lines.append(f"- **Service:** {vendor['service']}")
lines.append(f"- **Inherent-risk score:** {total} -> **Tier: {tier}**")
lines.append("")
lines.append("## Inherent-risk breakdown")
lines.append("")
lines.append("| Factor | Value | Points |")
lines.append("|---|---|---|")
lines.append(f"| Data sensitivity | {profile.get('data_sensitivity','-')} | {breakdown['data_sensitivity']} |")
lines.append(f"| Access | {profile.get('access','-')} | {breakdown['access']} |")
lines.append(f"| Criticality | {profile.get('criticality','-')} | {breakdown['criticality']} |")
lines.append(f"| Integration | {profile.get('integration','-')} | {breakdown['integration']} |")
lines.append(f"| Regulated scope | {', '.join(profile.get('regulated_scope', [])) or 'none'} | {breakdown['regulated_scope']} |")
lines.append(f"| Concentration | {profile.get('concentration', False)} | {breakdown['concentration']} |")
lines.append(f"| **Total** | | **{total}** |")
lines.append("")
lines.append(f"## {tier}-tier playbook")
lines.append("")
lines.append(f"- **Assessment depth:** {play['depth']}")
lines.append(f"- **Reassessment cadence:** {play['cadence']}")
lines.append("")
lines.append("## Evidence gaps")
lines.append("")
if not gaps:
lines.append(f"Evidence on file meets the {tier}-tier bar. Proceed to findings review and contracting.")
else:
for g in gaps:
lines.append(f"- {g}")
lines.append("")
lines.append("## Next steps")
lines.append("")
lines.append("1. Close the evidence gaps above (or document risk-accepted exceptions).")
lines.append("2. Review collected evidence critically (SOC 2 exceptions, ISO scope, CAIQ 'no' answers).")
lines.append("3. Record findings, residual risk, and a risk-owner decision.")
lines.append("4. Codify security terms, breach SLA, right-to-audit, and subprocessor flowdown in the contract.")
lines.append("5. Enroll in continuous monitoring per the cadence above.")
return "\n".join(lines), tier, gaps
def main():
ap = argparse.ArgumentParser(description="Vendor inherent-risk tiering + evidence-gap checker")
ap.add_argument("--input", "-i", required=True, help="Path to vendor profile JSON")
ap.add_argument("--output", "-o", help="Write Markdown assessment to this path")
ap.add_argument("--fail-on-evidence-gap", action="store_true",
help="Exit non-zero if any evidence gap remains for the tier")
args = ap.parse_args()
try:
with open(args.input) as f:
data = json.load(f)
except (OSError, json.JSONDecodeError) as e:
print(f"ERROR: could not read input JSON: {e}", file=sys.stderr)
return 2
try:
md, tier, gaps = render(data)
except ValueError as e:
print(f"ERROR: {e}", file=sys.stderr)
return 2
if args.output:
with open(args.output, "w") as f:
f.write(md + "\n")
print(f"Assessment written to {args.output}", file=sys.stderr)
else:
print(md)
print(f"Tier: {tier}; evidence gaps: {len(gaps)}.", file=sys.stderr)
if args.fail_on_evidence_gap and gaps:
print(f"FAIL: {len(gaps)} evidence gap(s) for {tier} tier.", file=sys.stderr)
return 1
return 0
if __name__ == "__main__":
sys.exit(main())