Licensees must have in place policies and procedures that address information security for all staff sets the security tone for the whole entity and informs staff what is expected of them. All staff should be aware of the sensitivity of data and their responsibilities for protecting it.