Controls -> Evidence Map (FTC v. Wyndham Worldwide Corp.)

Purpose

This technical appendix maps controls to objective evidence for FTC v. Wyndham Worldwide Corp., enabling rapid substantiation of implementation and operating effectiveness. It is used by security, compliance, and legal teams to demonstrate what is deployed, how it is monitored, and what records support examiner or litigation requests.

Hallucinated writing examples

Scenario: In an illustrative period following the Third Circuit Wyndham decision and the stipulated injunction (time), the Senior Lead Security Engineer (role) prepares a controls to evidence map (type) for Chief Information Security Officer; Compliance Program Owner (audience).

CONTROLS -> EVIDENCE MAP (TECHNICAL APPENDIX)

To: Chief Information Security Officer; Compliance Program Owner
From: Senior Lead Security Engineer
Date: August 22, 2016
Subject: Control Implementation and Evidence Readiness — Payment Card and Connectivity Domains

1) Segmentation and Connectivity:
Required Control State: Documented least-privilege connectivity between property environments and corporate cardholder-data segments; rule reviews on a defined cadence.
Evidence Artifacts: Network diagrams; firewall rule exports; change tickets; periodic review attestations; exception register with approvals.
Verification Signals: Count of undocumented connections (target zero); percentage of rules reviewed per quarter; time-to-remediate critical rule findings.

2) Privileged and Remote Access:
Required Control State: Strong authentication for administrative access; controlled vendor remote access with logging.
Evidence Artifacts: Authentication policy; MFA enforcement reports; vendor access logs; session recordings where used.
Verification Signals: MFA coverage for privileged accounts; median vendor session provisioning time; count of emergency break-glass events.

3) Monitoring and Incident Response:
Required Control State: Centralized security monitoring for lateral movement and bulk export patterns; documented IR playbooks.
Evidence Artifacts: SIEM use cases; alert tuning history; incident timelines; post-incident review records.
Verification Signals: Critical-use-case coverage; MTTD/MTTR for priority scenarios; repeat incident rate by root-cause category.

4) Assessment and Remediation:
Required Control State: Annual PCI DSS–oriented assessments as described in the order; tracked remediation.
Evidence Artifacts: Assessor reports; remediation plans; evidence of closure; management representation letters as applicable.
Verification Signals: Open high-severity finding aging; repeat findings year over year.

Document-type guide: Security Control Implementation Explanation

Writing tips: Writing best practices — Compliance Justification Document