This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.
If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.
Data Structure
Gridiron is exposed as a navigable API at https://gridiron.aptible.com.
Gridiron Data Model
Your Gridiron Data Model consists of all of the choices you make about what to build and how to run your business. Your Data Model is configured using Security Program Design.
Gridiron Risk Graph
Aptible maintains the Gridiron Risk Graph, which is how Gridiron transforms your Data Model into your unique Risk Model. The Risk Graph contains all knowledge of the specific baseline controls, policies, compliance requirements, and controls you need for your Gridiron Protocols.
Gridiron Risk Model
Your Gridiron Risk Model is a constantly changing model of your organization’s security program, the risks you face, and your methods of dealing with those risks. Your specific Risk Model is how compliance deliverables are generated, such as risk assessments, policy manuals, custom training for your workforce, and more.
This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.
If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.
Security Program Design
Your Gridiron Data Model is populated by designing and maintaining your Security Program.
Organization
Tell us a bit more about your organization. Imagine you are writing for an auditor, or someone else who is generally familiar with SaaS and cloud companies, but not yours specifically. These sections are used to add background and context to your Gridiron deliverables.
Your Gridiron account manager will provide you with a template and set of instructions for writing your initial set of information security procedures. Here, we collect the title and URL of your version, to use elsewhere in Gridiron.
Locations
Tell us a bit more about locations where your organization gets work done. Add offices, and be sure to let Gridiron know if you have remote workers. You may omit home offices, coffee shops, etc. Workforce
Tell us who is responsible for certain information security duties. Gridiron uses this information to assign and audit training, build your policies and incident response plans, automate your security management tasks, and alert you and your team when something needs attention.
Be sure to include phone numbers for team members with designated security responsibilities.
Apps and Databases
Add apps that you build or deploy. Add databases that you manage. If you have access to Aptible Deploy apps or databases, you can import them here.
You should be sure to complete the following tabs:
Info
Gridiron collects some basic data about your app.
Systems
Where is this app or database hosted? Does it rely on data from or use other apps, databases, logging systems, or data storage platforms?
Data
- Be sure to fill out Maximum Tolerable Downtime; it’s an important business criticality planning metric.
- Databases have additional questions about how you back up, archive, and delete data.
Criticality
Use the tooltips for this tab, they contain helpful definitions.
Component Systems
Components share many of the same Data and Criticality attributes as Apps and Databases.
Backends
These are populated based on what apps and databases you use.
Storage
For example, AWS S3.
Logging
Audit logs must be specifically protected in many frameworks.
SaaS Services
Add the services you use. These vendors will automatically be added to your vendor management tool. Be sure to note if this service is needed in order for you to respond effectively to incidents.
If this is a service that handles Sensitive data or supports a high impact business critical service, you should consider adding a Security Review item to remind your team to check users, security settings, logs, etc.
Predisposing Conditions
Tell Gridiron about how you run your business.
Security Controls
Tell Gridiron what controls you have implemented right now. We will review your draft risk assessment and policies with your Technical Account Manager.
This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.
If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.
Engines
Gridiron Engines consume your Gridiron Risk Model to produce security management and compliance deliverables.
Risk Analysis
The Gridiron Classic Risk Engine produces NIST SP 800-30 Rev. 1 risk analyses by consuming your Gridiron Risk Graph.
Policy Management
The Gridiron Classic Policy Engine produces ISO 27001-compliant policies by consuming your Gridiron Risk Graph.
Training
The Gridiron Classic Training Engine is how you assign and audit security/privacy training.
Users are automatically assigned to your organization’s Basic privacy and security awareness training when they are added to your Aptible Organization.
This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.
If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.
Tools
Gridiron Classic includes several tools to help run your security management program:
Contract Management
Track customer contracts and security/incident obligations.
Incident Response
Track security and privacy incidents.
Security Reviews
Track recurring security reviews, such as checking access controls.
This area of documentation describes our legacy products, ComplianceOS and Gridiron Classic.
If you are looking for our most up-to-date documentation of our current Aptible Comply product, please see Welcome to Aptible Comply.
Updated 6 months ago