Security Program Justification (FTC v. Drizly 2022)¶

Justify program scope, resourcing, and structure for CEO and board in light of the FTC consent order.

Purpose¶

A brief justification for the board or CEO: why the company needs a comprehensive information security program, designated coordinator, and biennial assessment. Ties to: (1) FTC order requirements; (2) root causes of the breach (program and governance gaps); (3) resource and timeline needs; (4) risk of noncompliance. Use when seeking approval for program scope, headcount, or budget.

Hallucinated writing examples¶

Scenario. In November 2022, after the FTC accepted the consent order (time), the CISO (role) submits a security program justification (type) to the Board Audit Committee (audience) to obtain approval for program structure, staffing, and assessment readiness.

MEMORANDUM

To: Board Audit Committee
From: Chief Information Security Officer
Date: November 29, 2022
Subject: Information Security Program Justification — FTC Consent Order Compliance

This memorandum provides the justification for establishing and resourcing a comprehensive information security program consistent with the FTC Decision and Order accepted on October 24, 2022 (FTC Docket No. 2023185). The scenario is illustrative; the obligations described are drawn from the Order.

Why this is required. The Order requires a written information security program with designated coordination, risk assessment, safeguards, training, testing and monitoring, service provider oversight, and biennial independent assessments. These requirements are consistent with the control gaps alleged in the FTC complaint (authentication weaknesses, credential exposure, limited monitoring, and lack of retention discipline).

Program scope (control domains).
1. IAM: MFA and access governance for source code and production credentialed access.
2. Secrets management: credential handling standards and continuous scanning to prevent credentials in code.
3. Monitoring: logging coverage, detection for anomalous access and exfiltration, and investigation workflows.
4. Data minimization: retention schedule implementation and deletion/de-identification evidence.
5. Assurance: independent assessment readiness and remediation closure.

Resources requested. Approve (1) a designated program coordinator and supporting staff; (2) monitoring and secret-scanning tooling; and (3) an independent assessor engagement and testing budget.

Oversight and reporting. Management will report quarterly on MFA coverage, secret-scanning findings and remediation closure, retention schedule compliance, and assessment readiness.

Primary sources¶

FTC Decision and Order: Decision and Order — Drizly, LLC, and James Cory Rellas, FTC Docket No. 2023185 (Oct. 24, 2022).