Skip to content

Security Decision Documentation (Altaba / Yahoo SEC (2018))

Use this to record a significant security-related decision: what was decided, why, who was involved, and what evidence or inputs were used; supports accountability and audit.

Purpose

This document standardizes how significant security and disclosure decisions related to Altaba / Yahoo SEC (2018) are recorded, including rationale, approvers, assumptions, and follow-up actions. It supports legal defensibility, internal accountability, and post-incident learning.

Hallucinated writing examples

Scenario: In an illustrative period following the SEC April 2018 cease-and-desist order on delayed breach disclosure (time), the Security Director (role) prepares a security decision documentation (type) for leadership stakeholders (audience).

SECURITY DECISION RECORD

Decision: Formalization of incident-to-disclosure escalation controls and disclosure-committee decision evidence standards
Date: May 20, 2018
Participants: Chief Information Security Officer, General Counsel, Chief Accounting Officer, Disclosure Committee Chair, Compliance Lead

Context: The SEC administrative order (File No. 3-18448) highlighted delayed and inadequate investor disclosure after confirmed cyber intrusion knowledge. This decision establishes required controls for escalation timing, documentation, and cross-functional governance of materiality-related security facts.

Options Considered: (1) Implement mandatory escalation triggers and disclosure evidence workflow with legal/finance checkpoints (selected). (2) Keep informal coordination via ad hoc counsel outreach—rejected due to control weakness. (3) External advisory-only model without workflow redesign—rejected for inadequate ownership.

Rationale: Selected to directly address disclosure-control deficiencies and create repeatable evidence for internal and external review. Inputs included order findings, internal control gap analysis, and committee process review.

Commitments: Deploy revised workflow by Q3 2018; run quarterly control tests; report unresolved exceptions to disclosure committee with dated remediation plans.

Document-type guide: Security Decision Documentation

Writing tips: Writing best practices — Security Decision Documentation

© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: 2026 April 17 9:37 AM