Controls -> Evidence Map (FTC v. Drizly 2022)¶
Purpose¶
This technical appendix maps controls to objective evidence for FTC v. Drizly 2022, enabling rapid substantiation of implementation and operating effectiveness. It is used by security, compliance, and legal teams to demonstrate what is deployed, how it is monitored, and what records support examiner or litigation requests.
Hallucinated writing examples¶
Scenario: In an illustrative period following the FTC October 2022 consent order after the July 2020 Drizly breach (time), the Senior Lead Security Engineer (role) prepares a controls to evidence map (type) for Chief Information Security Officer; Compliance Program Owner (audience).
CONTROLS -> EVIDENCE MAP (TECHNICAL APPENDIX)
Technical Objective: This appendix maps required control state to evidence artifacts and verification signals for domains addressed in the FTC complaint and Decision and Order. It is written for technical and compliance stakeholders who need substantiation of operating effectiveness, not policy statements alone.
Scope: Access control and credential management; monitoring and detection; data minimization and retention; program governance and biennial independent assessment.
1) Access Control and Credential Management:
Required Control State: Multifactor authentication for all accounts with access to source code or production credentials; no long-lived credentials stored in source repositories; role-based access with timely offboarding; strong password or equivalent authentication policy for in-scope accounts.
Evidence Artifacts: MFA enrollment and enforcement logs; access review attestations; repository secret-scanning reports with remediation closure; offboarding checklists with access revocation timestamps; authentication policy version and distribution records.
Verification Signals: Percentage of privileged and source-code-access accounts with MFA; count of credentials detected in repositories (target zero); median time from offboarding trigger to access revocation.
2) Monitoring and Detection:
Required Control State: Logging and monitoring for anomalous access and data exfiltration; documented alert thresholds; regular assessment of protection measures; investigation workflow with retained outcomes.
Evidence Artifacts: Log source inventory and retention configuration exports; detection rule catalog and change history; sample investigation tickets with timeline, containment actions, and closure rationale; internal or third-party assessment reports with remediation tracking.
Verification Signals: Log coverage for critical systems; mean time to detect anomalous access or exfiltration patterns; percentage of high-severity alerts triaged within SLA; assessment finding closure rate.
3) Data Minimization and Retention:
Required Control State: Published data retention schedule; process to delete or de-identify personal information when no longer necessary for specified purposes; collection and use limited to necessity.
Evidence Artifacts: Retention schedule (public or internal, per order); data inventory by purpose and retention period; deletion or de-identification logs; periodic compliance review records.
Verification Signals: Retention schedule adherence rate; volume of data deleted or de-identified per reporting period; count of exceptions with documented business justification and approval.
4) Program Governance and Assessment:
Required Control State: Written information security program; designated program coordinator; risk assessment; training; testing and monitoring; service provider oversight; biennial independent third-party security assessment with report available to the FTC upon request.
Evidence Artifacts: Approved program document and version history; coordinator designation and reporting line; risk assessment outputs; training completion records; testing reports; vendor oversight evidence; biennial assessor statement of work and final report with remediation plan.
Verification Signals: Program document last approved date; risk review cadence met; training coverage percentage for in-scope roles; biennial assessment completion date and scope; open high findings aging.
Submission Note: This appendix is technical by design and intended to accompany executive or regulator-facing narrative documents as implementation proof for consent order obligations.
Document-type guide: Security Control Implementation Explanation
Writing tips: Writing best practices — Compliance Justification Document