Licensees must have in place policies and procedures that address information security for all staff. A strong security policy sets the security tone for the whole entity and informs staff what is expected of them. All staff should be aware of the sensitivity of data and their responsibilities for protecting it.