Security Governance Memo (FTC v. Drizly 2022)¶

Define or clarify governance roles and escalation for the information security program and consent order.

Purpose¶

An internal memo that clarifies: (1) who is designated to coordinate the information security program (per FTC order); (2) reporting lines (CISO to executive; executive to board); (3) escalation path for material risks and consent order milestones; (4) board or committee oversight (e.g., Audit Committee) and reporting cadence. Supports examiner questions on governance and accountability.

Hallucinated writing examples¶

Scenario. In November 2022, after the FTC accepted the consent order (time), the CISO (role) issues a security governance memo (type) to the Board Audit Committee (audience) to document governance, oversight, and escalation for consent order compliance.

MEMORANDUM

To: Board Audit Committee
From: Chief Information Security Officer
Date: November 28, 2022
Subject: Security Governance — Program Ownership, Oversight, and Consent Order Escalation

This memorandum documents the governance structure for the Company’s information security program and FTC consent order compliance (FTC Docket No. 2023185). The scenario is illustrative; the governance needs and obligations are derived from the FTC Decision and Order.

Program ownership. The Company has designated a qualified person to coordinate the information security program. Responsibility includes risk identification, safeguards, monitoring and testing, training, service provider oversight, and documentation.

Board oversight. The Board Audit Committee provides oversight of program effectiveness and consent order milestones. Management will provide quarterly reporting on program metrics and any material risks or compliance issues.

Escalation. The CISO will escalate to the Committee within five business days any: (1) suspected unauthorized access to covered personal information; (2) material failures of MFA, credential controls, or monitoring coverage; (3) missed consent order milestones; or (4) independent assessment findings rated “high” that are not remediated within the approved timeline.

Evidence readiness. Management will maintain a control-to-evidence index to support FTC requests, audits, and biennial independent assessments.

Primary sources¶

FTC Decision and Order: Decision and Order — Drizly, LLC, and James Cory Rellas, FTC Docket No. 2023185 (Oct. 24, 2022).