Security Program Design

Your Gridiron Data Model is populated by designing and maintaining your Security Program.


Tell us a bit more about your organization. Imagine you are writing for an auditor, or someone else who is generally familiar with SaaS and cloud companies, but not yours specifically. These sections are used to add background and context to your Gridiron deliverables.

Your Gridiron account manager will provide you with a template and set of instructions for writing your initial set of information security procedures. Here, we collect the title and URL of your version, to use elsewhere in Gridiron.


Tell us a bit more about locations where your organization gets work done. Add offices, and be sure to let Gridiron know if you have remote workers. You may omit home offices, coffee shops, etc. Workforce

Tell us who is responsible for certain information security duties. Gridiron uses this information to assign and audit training, build your policies and incident response plans, automate your security management tasks, and alert you and your team when something needs attention.

Be sure to include phone numbers for team members with designated security responsibilities.

Apps and Databases

Add apps that you build or deploy. Add databases that you manage. If you have access to Aptible Deploy apps or databases, you can import them here.

You should be sure to complete the following tabs:


Gridiron collects some basic data about your app.


Where is this app or database hosted? Does it rely on data from or use other apps, databases, logging systems, or data storage platforms?



The information classification levels shown here are defined in your Data Classification Policy. They are:

  • Sensitive: PHI, PII, and other regulated or high-risk data.
  • Restricted: Need-to-know within your organization. Examples: payroll data, HR files, disciplinary records, etc.
  • Confidential: Non-public. Sometimes subject to NDA. Most internal business information is Confidential.
  • Public: Freely available. Example: Your public marketing website.
  • Be sure to fill out Maximum Tolerable Downtime; it’s an important business criticality planning metric.
  • Databases have additional questions about how you back up, archive, and delete data.


Use the tooltips for this tab, they contain helpful definitions.

Component Systems

Components share many of the same Data and Criticality attributes as Apps and Databases.


These are populated based on what apps and databases you use.


For example, AWS S3.


Audit logs must be specifically protected in many frameworks.

SaaS Services

Add the services you use. These vendors will automatically be added to your vendor management tool. Be sure to note if this service is needed in order for you to respond effectively to incidents.

If this is a service that handles Sensitive data or supports a high impact business critical service, you should consider adding a Security Review item to remind your team to check users, security settings, logs, etc.

Predisposing Conditions

Tell Gridiron about how you run your business.

Security Controls

Tell Gridiron what controls you have implemented right now. We will review your draft risk assessment and policies with your Technical Account Manager.