The licensee:
- (1) Designs its information security program to control the identified risks, commensurate with the sensitivity of the information, as well as the complexity and scope of the licensee’s activities;
- (2) Trains staff, as appropriate, to implement the licensee’s information security program; and
(3)
- (A) Regularly tests or otherwise regularly monitors the key controls, systems, and procedures of the information security program.
- (B) The frequency and nature of these tests or other monitoring practices are determined by the licensee’s risk assessment.