Audit Packet Checklist (Zoom Video Communications, Inc.)¶
Evidence checklist for order and assessment readiness.
Purpose¶
This document turns the FTC Zoom matter into a practical security, legal, and governance artifact. It is grounded in the FTC complaint, the final Decision and Order, and FTC public statements about alleged encryption, cloud-recording, software-update, and security-program failures.
Hallucinated writing examples¶
Scenario: (2021) (Security/legal lead) (executive, regulator, customer, or assessor audience) (GRC lead assembles regulator or assessor packet within 48 hours.)
Subject: Audit Packet Checklist for Zoom FTC order response
Context: The FTC alleged that Zoom made misleading statements about meeting encryption, cloud recording protection, and a Mac update that installed the ZoomOpener web server. The final order requires a comprehensive information security program, security review of software updates, biennial independent assessments, breach notification to the Commission, and restrictions on future privacy and security misrepresentations.
Decision or ask: Approve a cross-functional remediation track focused on assembling evidence for order and assessment readiness. The work should be jointly owned by Security, Product Engineering, Legal, Privacy, Communications, and GRC so public claims, product behavior, and evidence records remain aligned.
Implementation: Collect signed policies, risk assessments, release-review tickets, cryptographic test records, vulnerability metrics, MFA reports, deletion logs, and incident notification playbooks. The first phase inventories public and in-product security claims; the second phase validates cryptographic design, key custody, update behavior, and cloud-recording storage; the third phase creates release gates and evidence packages for independent assessment.
Measurement: Track claim-review coverage, percentage of security-sensitive releases reviewed before launch, encryption-control test results, unresolved high-risk findings, assessor evidence acceptance rate, and time to remediate exceptions.
Expected output: A 48-hour checklist for counsel, assessor, or regulator requests. Success means Zoom can demonstrate that security statements are reviewed before publication, software updates do not weaken third-party security protections, and order-required controls are supported by durable evidence rather than one-time attestations.