Aptible Comply Documentation

(Legacy) Gridiron Documentation

❗️

This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.

If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.

Data Structure

Gridiron is exposed as a navigable API at https://gridiron.aptible.com.

Gridiron Data Model

Your Gridiron Data Model consists of all of the choices you make about what to build and how to run your business. Your Data Model is configured using Security Program Design.

Gridiron Risk Graph

Aptible maintains the Gridiron Risk Graph, which is how Gridiron transforms your Data Model into your unique Risk Model. The Risk Graph contains all knowledge of the specific baseline controls, policies, compliance requirements, and controls you need for your Gridiron Protocols.

Gridiron Risk Model

Your Gridiron Risk Model is a constantly changing model of your organization’s security program, the risks you face, and your methods of dealing with those risks. Your specific Risk Model is how compliance deliverables are generated, such as risk assessments, policy manuals, custom training for your workforce, and more.

❗️

This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.

If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.

Security Program Design

Your Gridiron Data Model is populated by designing and maintaining your Security Program.

Organization

Tell us a bit more about your organization. Imagine you are writing for an auditor, or someone else who is generally familiar with SaaS and cloud companies, but not yours specifically. These sections are used to add background and context to your Gridiron deliverables.

Your Gridiron account manager will provide you with a template and set of instructions for writing your initial set of information security procedures. Here, we collect the title and URL of your version, to use elsewhere in Gridiron.

Locations

Tell us a bit more about locations where your organization gets work done. Add offices, and be sure to let Gridiron know if you have remote workers. You may omit home offices, coffee shops, etc. Workforce

Tell us who is responsible for certain information security duties. Gridiron uses this information to assign and audit training, build your policies and incident response plans, automate your security management tasks, and alert you and your team when something needs attention.

Be sure to include phone numbers for team members with designated security responsibilities.

Apps and Databases

Add apps that you build or deploy. Add databases that you manage. If you have access to Aptible Deploy apps or databases, you can import them here.

You should be sure to complete the following tabs:

Info

Gridiron collects some basic data about your app.

Systems

Where is this app or database hosted? Does it rely on data from or use other apps, databases, logging systems, or data storage platforms?

Data

  • Be sure to fill out Maximum Tolerable Downtime; it’s an important business criticality planning metric.
  • Databases have additional questions about how you back up, archive, and delete data.

Criticality

Use the tooltips for this tab, they contain helpful definitions.

Component Systems

Components share many of the same Data and Criticality attributes as Apps and Databases.

Backends

These are populated based on what apps and databases you use.

Storage

For example, AWS S3.

Logging

Audit logs must be specifically protected in many frameworks.

SaaS Services

Add the services you use. These vendors will automatically be added to your vendor management tool. Be sure to note if this service is needed in order for you to respond effectively to incidents.

If this is a service that handles Sensitive data or supports a high impact business critical service, you should consider adding a Security Review item to remind your team to check users, security settings, logs, etc.

Predisposing Conditions

Tell Gridiron about how you run your business.

Security Controls

Tell Gridiron what controls you have implemented right now. We will review your draft risk assessment and policies with your Technical Account Manager.

❗️

This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.

If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.

Engines

Gridiron Engines consume your Gridiron Risk Model to produce security management and compliance deliverables.

Risk Analysis

The Gridiron Classic Risk Engine produces NIST SP 800-30 Rev. 1 risk analyses by consuming your Gridiron Risk Graph.

Policy Management

The Gridiron Classic Policy Engine produces ISO 27001-compliant policies by consuming your Gridiron Risk Graph.

Training

The Gridiron Classic Training Engine is how you assign and audit security/privacy training.

Users are automatically assigned to your organization’s Basic privacy and security awareness training when they are added to your Aptible Organization.

❗️

This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.

If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.

Tools

Gridiron Classic includes several tools to help run your security management program:

Contract Management

Track customer contracts and security/incident obligations.

Incident Response

Track security and privacy incidents.

Security Reviews

Track recurring security reviews, such as checking access controls.

❗️

This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.

If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.

Updated 6 months ago


(Legacy) Gridiron Documentation


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.