Security Decision Documentation (FTC v. Drizly 2022)¶

Record significant security decisions and rationale for board, regulator, or counsel.

Purpose¶

Document decisions such as: adoption of the written information security program; designation of the program coordinator; approval of the data retention schedule; approval of MFA and credential-management standards; selection and scope of the biennial independent assessor. Each record should include date, decision, rationale, approver, and any risk acceptance or exception. Supports consent order compliance and audit readiness.

Primary sources¶

• FTC Decision and Order: Decision and Order — Drizly, LLC, and James Cory Rellas, FTC Docket No. 2023185 (Oct. 24, 2022).