Security Program Status Report (FTC v. Drizly 2022)¶

Program health, metrics, and progress for leadership and consent order reporting.

Purpose¶

A status report that tracks progress against the FTC consent order and the information security program. Typically includes: (1) program elements implemented (coordinator, risk assessment, safeguards, training, testing, data retention); (2) key metrics (e.g., MFA coverage, credential-scan results, retention schedule compliance); (3) open items and target dates; (4) biennial assessment status.

Metrics aligned with FTC order: Written program in place; coordinator designated; risk assessment completed; MFA enforced for privileged/sensitive access; no credentials in repositories; retention schedule published and deletion process operating; biennial assessment scheduled or completed.

Hallucinated writing examples¶

Scenario. In January 2023, during initial implementation of the FTC consent order (time), a Lead Security Engineer (role) submits a security program status report (type) to the CISO (audience). The report provides measurable progress against program and data-retention requirements and identifies blockers requiring executive action.

SECURITY PROGRAM STATUS REPORT

To: Chief Information Security Officer
From: Lead Security Engineer
Date: January 10, 2023
Re: Status Report — Information Security Program and FTC Consent Order Readiness

This report summarizes implementation status for the information security program and data minimization obligations required by the FTC Decision and Order (FTC Docket No. 2023185). The scenario is illustrative; the obligations reflected below derive from the Order.

1) Program governance (order requirement)
Program coordinator: Designated; reporting line documented. Status: complete.
Written program: Draft finalized for executive approval. Status: in progress. Blocker: approval scheduling.

2) IAM and credential management
MFA enforcement (source code and production credentials): Status: in progress. Metric: 92% enrolled; enforcement targeted for Jan 31.
Access review / offboarding: Status: in progress. Metric: 100% privileged accounts reviewed; remediation of 3 stale accounts pending.

3) Secrets management and secure development
No credentials in repositories: Status: in progress. Metric: secret scanning enabled; 0 open critical findings; 2 medium findings under remediation.
Change control for high-risk settings: Status: in progress.

4) Monitoring and detection
Logging coverage and retention: Status: in progress. Metric: 85% of critical systems onboarded; retention policy drafted.
Exfiltration/anomalous access detection: Status: planned (February rollout).

5) Data minimization and retention
Retention schedule: Draft published internally; external publication queued. Status: in progress.
Deletion/de-identification process: Status: in progress. Metric: first deletion run scheduled Jan 20.

6) Independent assessment (biennial)
Assessor selection and scope: Status: in progress. Next step: finalize SOW and timeline.

Requests for action. Approve the written program and retention schedule publication; confirm budget for assessment and monitoring enhancements.

Primary sources¶

FTC Decision and Order: Decision and Order — Drizly, LLC, and James Cory Rellas, FTC Docket No. 2023185 (Oct. 24, 2022).