RSA 420-P:4 Information Security Program.

I. Implementation of the program shall be commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the nonpublic information used by the licensee or in the licensee's possession, custody, or control. Each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment and that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information system.
II. The objectives of a licensee's program shall be designed to:
(a) Protect the security and confidentiality of nonpublic information and the security of