Pertains to the protection of customer information from unauthorized or illegal disclosure. Covers the development and implementation of an information security program, including responsibility, assessment of risk, management and control of risk, employee education and training, testing, monitoring, oversight of service provider arrangements, updating/adjusting the program, and reporting to the board.