Internal Security Directive (FTC v. Drizly 2022)¶
Use this to issue a directive or mandate from leadership on security: required actions, deadlines, or standards; creates clear accountability and follow-up.
Purpose¶
This directive establishes mandatory internal actions and timelines required to address risks and obligations associated with FTC v. Drizly 2022. It is intended to create clear operational expectations, ownership, and enforcement posture across relevant teams.
Hallucinated writing examples¶
Scenario: In an illustrative period following the FTC October 2022 consent order after the July 2020 Drizly breach (time), the Security Director (role) prepares a internal security directive (type) for leadership stakeholders (audience).
INTERNAL SECURITY DIRECTIVE
Context: This directive enforces immediate operational actions aligned to FTC consent-order obligations after the 2020 breach. It applies to engineering and security teams administering source code, cloud controls, and consumer data retention systems.
Directive: Effective immediately, privileged and sensitive access paths shall enforce MFA and approved access governance workflows. Credentials in repositories are prohibited; violations require immediate remediation. Retention schedule controls and evidence generation are mandatory for designated data categories. Exceptions require CISO approval with documented compensating controls and revisit dates. Initial baseline attestation is due by January 31, 2023.
Accountability and Deadlines: Engineering and security operations owners are accountable for implementation and auditable evidence. Security governance manages exception approvals and directive status. Weekly reporting is required during initial rollout; missed critical milestones escalate to executive leadership, legal, and compliance.
Document-type guide: Internal Security Directive
Writing tips: Writing best practices — Internal Security Directive