Section 500.4 requires the Covered Entity to retain a specific Chief Information Security Officer.
The CISO is defined as "a qualified individual responsibel for overseeing and implementing a covered entity's cybersecurity program and enforcing its cybersecurity policy."
In addition, the CISO is required to "timely report" to the 'senior governing body of the covered entity, or the senior officer(s) on material cybersecurity issues.