Risk Register (FTC v. Drizly 2022)¶

Risk entries relevant to credential management, access control, monitoring, and data retention for audit and consent order compliance.

Purpose¶

A risk register that documents material security risks and mitigation. Following the FTC order, entries should include: (1) Access control and credential management — risk of unauthorized access via weak or reused credentials; mitigation: MFA, no credentials in code, access reviews. (2) Monitoring and detection — risk of undetected exfiltration or anomalous access; mitigation: logging, detection rules, assessments. (3) Data retention — risk of retaining personal information beyond necessity; mitigation: retention schedule, deletion process. (4) Program maturity — risk of inadequate program ownership and follow-through; mitigation: designated coordinator, written program, biennial assessment.

Each entry should have owner, mitigation status, and evidence linkage for examiner or auditor review.

Primary sources¶

• FTC Decision and Order: Decision and Order — Drizly, LLC, and James Cory Rellas, FTC Docket No. 2023185 (Oct. 24, 2022).