Answer:
The regulations require an Identity Theft Prevention program. The regulations also clarify that existing policies and procedures may be incorporated into the Program, as appropriate. The regulations do not provide that the Program can be incorporated into a different policy or procedure.