Strategic Security Initiative Justification (FTC v. Drizly 2022)¶

Business case for the security program and data minimization initiative required by the FTC consent order.

Purpose¶

A brief business case for leadership and board: why the company is investing in the information security program, data minimization, and biennial assessments. Ties consent order obligations to risk reduction, regulatory compliance, and reputational protection.

Key points: (1) The FTC order mandates a comprehensive program, retention schedule, and assessments; noncompliance carries enforcement risk. (2) The breach and FTC findings reflect program and governance gaps that the initiative addresses. (3) Resource and timeline expectations (coordinator, MFA rollout, repository scanning, retention schedule, third-party assessment).

Hallucinated writing examples¶

Scenario. In November 2022, shortly after the FTC accepted the consent order (time), the CISO (role) submits a strategic security initiative justification (type) to the Board Audit Committee (audience) to obtain approval for resourcing, tooling, and the biennial independent assessment.

MEMORANDUM

To: Board Audit Committee
From: Chief Information Security Officer
Date: November 30, 2022
Subject: Strategic Security Initiative — Program Implementation, Data Minimization, and Independent Assessment

This memorandum requests approval for a consolidated security initiative that implements the information security program, data minimization and retention controls, and independent assessment required by the FTC Decision and Order accepted on October 24, 2022 (FTC Docket No. 2023185). The scenario is illustrative; the obligations described are drawn from the Order.

Business rationale. The July 2020 incident and subsequent FTC action demonstrate that weaknesses in authentication, secrets handling, monitoring, and data retention can convert a single account compromise into enterprise-wide impact. The Order requires a written program, designated leadership responsibility, safeguards and monitoring, a public retention schedule, and biennial independent assessments. This initiative delivers those requirements in an integrated and auditable manner.

Scope (control domains).
1. IAM and privileged access: enforce MFA for source code and credentialed production access; complete access reviews and revocation discipline.
2. Secrets management and secure development: eliminate credentials from repositories; continuous secret scanning and remediation workflow.
3. Monitoring and response: logging coverage, retention, and detection for anomalous access and exfiltration.
4. Data minimization and retention: retention schedule publication; deletion or de-identification controls and evidence generation.
5. Assurance: biennial independent assessment and closure tracking for findings.

Resources and timeline. We request approval for (1) an independent assessor and required testing; (2) monitoring and secret-scanning tooling; and (3) implementation staffing to complete the first 90-day milestones and prepare for assessment.

Decision requested. Approve the initiative scope and budget and require quarterly reporting on MFA coverage, secret-scanning findings, retention schedule compliance, and assessment readiness.

Primary sources¶

FTC Decision and Order: Decision and Order — Drizly, LLC, and James Cory Rellas, FTC Docket No. 2023185 (Oct. 24, 2022).