The cyber security policy must, at minimum, include written procedures, guidelines, and standards reasonably designed to ensure the security of all applications utilized by the licensee. All such procedures, guidelines, and standards must be reviewed, assessed, and updated by the licensee's CISO at least annually.