Governance Response Memo (FTC v. Drizly 2022)¶
Respond to an FTC or auditor request on governance: who owns the information security program, how the board is informed, and how the consent order is overseen.
Hallucinated writing examples¶
Scenario. In November 2022, following the FTC’s consent order (time), an external regulator or auditor (audience) requests a memo describing governance of the information security program and consent order compliance. The CISO (role) submits a governance response memo (type) that addresses board oversight, management accountability, designated program coordinator, and reporting.
GOVERNANCE RESPONSE MEMO
Board oversight. The Board [or Audit Committee] receives [quarterly] reporting on cybersecurity risk, information security program status, and consent order compliance. Reporting includes material risks, control effectiveness, incident summary (if any), and progress against the order’s milestones. The board has approved the written information security program and the data retention schedule required by the order.
Management accountability. [Designated executive] has been designated to coordinate the information security program as required by the FTC order. The CISO reports to [executive] and has authority over security policy, standards, and control implementation. Security and technology risk are included in the enterprise risk management process with defined escalation to the board.
Consent order oversight. Consent order milestones (program implementation, retention schedule, biennial assessment, reporting) are tracked in [system]. Status is reported to the board and to the FTC upon request. [Designated executive] certifies compliance with the order’s reporting and recordkeeping requirements.
Primary sources¶
- FTC Decision and Order: Decision and Order — Drizly, LLC, and James Cory Rellas, FTC Docket No. 2023185 (Oct. 24, 2022).
- FTC Complaint: Complaint, FTC Docket No. 2023185 (Oct. 24, 2022).