Skip to content

Audit Packet Checklist (48-hour evidence readiness) — FTC v. Drizly

If examined (FTC, auditor, litigation), produce the following within 48 hours where applicable.

A) Information security program

  • Written information security program document
  • Designation of program coordinator and reporting structure
  • Risk assessment and risk register (relevant entries)
  • Program update and approval records

B) Access control and credential management

  • MFA enrollment and enforcement evidence (privileged/sensitive accounts)
  • Access review records and offboarding evidence
  • Repository scanning results (no credentials in code)
  • Password or authentication policy

C) Monitoring and detection

  • Log source inventory and retention policy
  • Detection rules and alert thresholds (e.g., anomalous login, exfiltration)
  • Sample investigation tickets and outcomes

D) Data minimization and retention

  • Data retention schedule (public or internal)
  • Deletion or de-identification logs
  • Data inventory by purpose and retention period

E) Training and testing

  • Security training records and content
  • Assessment or test reports (internal or third-party)
  • Biennial independent assessment report (if due)
  • Consent order milestone tracking
  • Evidence index mapping controls to order requirements
  • Reporting and recordkeeping produced for FTC upon request
© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: