Skip to content

Security Policy Draft (FTC v. Drizly 2022)

Use this to draft or update an enterprise security policy; defines required behavior and controls in policy language and supports consistency and auditability.

Purpose

This draft policy converts lessons and obligations from FTC v. Drizly 2022 into enforceable internal requirements, control expectations, and governance responsibilities. It is structured for review by security leadership, legal, and affected business owners before formal adoption.

Hallucinated writing examples

Scenario: In an illustrative period following the FTC October 2022 consent order after the July 2020 Drizly breach (time), the Security Director (role) prepares a security policy draft (type) for Engineering and security operations staff (audience).

ENTERPRISE SECURITY POLICY — DRAFT

Policy title: Identity, Secrets, and Data Retention Security Policy
Version: 1.0 (Draft)
Owner: Chief Information Security Officer
Effective date: Upon approval
Last reviewed: December 2022
Context: FTC Docket No. 2023185 program implementation requirements

Purpose and Scope: This policy establishes enforceable requirements for privileged identity controls, secret-management practices, monitoring, and retention governance aligned to FTC order obligations following the 2020 incident. It applies to all personnel managing source code, cloud administration, and consumer data systems.

Policy Statement: The organization shall enforce MFA on privileged paths, prevent credentials in repositories, implement monitoring and retention controls, and govern exceptions under formal approval and review.

Roles and Responsibilities: The CISO owns policy governance. Engineering managers implement control standards; security operations maintain monitoring and evidence; compliance/legal review adherence to order obligations.

Requirements: (1) Privileged and sensitive access shall require MFA and periodic recertification. (2) Secrets in source repositories are prohibited; violations require immediate remediation. (3) Logging and retention for designated systems shall meet order and legal requirements. (4) Data retention/deletion controls shall follow approved schedules. (5) Exceptions require risk acceptance with revisit date and quarterly review.

Document-type guide: Security Policy Draft

Writing tips: Writing best practices — Security Policy Draft

© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: 2026 April 17 9:37 AM