Each licensee shall establish and maintain an information security program to ensure the availability and functionality of the licensee's electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering. The program may be established and maintained by a parent or affiliate as long as the licensee has adopted the program and it is available to the department for review.