Getting Started

In this guide, we explain what to expect as you start using Gridiron to manage security and privacy in your organization.

This guide is designed for your organization’s first Gridiron Admins. Ideally you will have at least two Gridiron Admins to start: The person with primary responsibility for information security for your organization (designated as your Security Officer in Gridiron), and a backup.

As an Admin, you can be technical or non-technical. You will receive training on your duties as part of Gridiron onboarding.

Resources

1. This site (https://www.aptible.com/documentation) has documentation, guides, and FAQs for both Gridiron and Enclave. Use the search bar in the top left if you are unsure where to find what you need.

2. The Aptible Resources page has diagrams and materials, such as the Gridiron Compliance Model diagram (located in the Gridiron Reference Documents resource).

3. You can always contact Aptible Support with questions as you go!

Prerequisites

Before you get started here, make sure you have an Aptible account with Gridiron enabled. Invite any other admins to the Gridiron Owners role. If your organization is also using Enclave, make sure you have provisioned at least one environment.

Onboarding Steps

1. Your Aptible account executive will coordinate with you to get your Gridiron Admins scheduled for Security Officer training. This training is delivered via webinar and is 2.5 hours long. During the training, you and your Gridiron account manager will cover an overview of how your specific Gridiron protocols work (HIPAA, SOC 2, ISO 27001, etc.). You will also learn how the Gridiron data model works, how the Gridiron Compliance Model maps to business processes and tasks, and how those processes and tasks map to Gridiron tools, engines, and reports.

2. As we go through Security Officer training, we will keep a running log of TODO items in your Security Plan of Action and Milestones. We will use this as a project management tool to organize your security management program. If you would prefer to use a tool such as Trello or Jira for this, you may use that instead.

3. After initial Security Officer training is complete, you will start building your asset inventory in Gridiron, conducting security impact and business continuity planning along the way. Gridiron will guide you through these planning steps, and your Gridiron account manager will schedule additional sessions as necessary to answer questions you have along the way.

4. Once your initial Gridiron configuration is complete, you will use the Gridiron engines to publish initial versions of your first compliance deliverables, such as your risk assessment and treatment plan, and your policies and procedures. We can update these easily at any time.

5. Now that you have established an an initial set of policies and controls, we can add the rest of your workforce to Gridiron to train them on your new security management program. Everyone in your workforce will receive basic security awareness training, specific to your Gridiron protocols and your specific security control decisions (e.g., Will you require criminal background screening? Will you require mobile device management on laptops? etc. )

6. Developers and others involved in software development (product managers, etc.) will receive Advanced training, which is 90 minutes long and delivered via webinar. We will cover topics such as secure software development lifecycles, additional risks/controls for developers (such as protecting SSH keys), and technical requirements for your chosen Gridiron protocols (such as considerations around implementing HIPAA audit logging, for example).

7. Finally, your Gridiron account manager will conduct a debriefing session to answer any questions you have and help document any exceptions and plan next steps, such as an audit or certification. Congratulations!