(C) Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. (0 Manage and Control Risk. Each IBE shall: (1) Design its information security program to control the identified risks, commensurate with the sensitivity of the information