Skip to content

Security & Privacy Governance Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Cybersecurity & Data Protection Governance Policy
Framework Reference: Secure Controls Framework – Governance (GOV)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Cybersecurity & Data Protection Governance requirements established by Summit Technology Holdings, LLC (STH). It documents the governance structures, documentation practices, accountability assignments, and external relationships that constitute FRHC’s information security and privacy governance program.


This standard applies to all FRHC workforce members, vendors, and clients who are subject to or contribute to the organization’s information security and data privacy governance program. It governs the structure, documentation, oversight, and performance measurement of security and privacy controls across all FRHC systems, applications, and services, including those that process, store, or transmit electronic protected health information (ePHI).


STH maintains an enterprise information security and data privacy governance program that governs all aspects of the business and supporting technologies across its subsidiaries, including LX. The governance program is organized according to the Secure Controls Framework (SCF), with NIST SP 800-53 and the NIST Cybersecurity Framework (CSF) v2.0 providing supplemental guidance.

STH owns and maintains the enterprise policies for each SCF domain. FRHC maintains a corresponding set of subsidiary standards and supporting procedures that implement and adhere to these enterprise policies within FRHC operations.

The information security and data privacy governance program is organized, per the SCF, into the following domains:

IDDomain TitleIDDomain Title
GOVCybersecurity & Data Privacy GovernanceIROIncident Response
AATArtificial and Autonomous TechnologiesIAOInformation Assurance
ASTAsset ManagementMDMMobile Device Management
BCDBusiness Continuity & Disaster RecoveryNETNetwork Security
CAPCapacity & Performance PlanningPESPhysical & Environmental Security
CHGChange ManagementPRIData Privacy
CLDCloud SecurityQTSQuantum Security
CPLComplianceRSKRisk Management
CFGConfiguration ManagementSATSecurity Awareness & Training
MONContinuous MonitoringTDATechnology Development & Acquisition
CRYCryptographic ProtectionsTPMThird-Party Management
DCHData Classification & HandlingTHRThreat Management
ENDEndpoint SecurityVPMVulnerability & Patch Management
HRSHuman Resources SecurityWEBWeb Security
IACIdentification & Authentication

Each SCF domain has a corresponding STH enterprise policy from which applicable requirements are derived. FRHC standards define how those requirements are implemented operationally within FRHC systems, processes, and workflows.

The statutory, regulatory, and contractual compliance requirements that inform and drive the governance program are derived from applicable federal, state, and local laws, as well as contractual obligations. While regulatory compliance is centrally managed by STH, these requirements are directly applicable to and enforced within LX operations.

  • Parent Policy Mapping: STH Cybersecurity & Data Protection Governance Policy, Section 3.1
  • SCF Mapping: GOV-01 (Security, Compliance & Resilience Program (SCRP))

FRHC’s complete set of information security policies, standards, and procedures is established and maintained by the Information Security Office. Documents are published to the FRHC Corporate Library and are available to the entire organization. The library is maintained in a version-controlled repository and kept current through the review and update process described in Section 3.3.

  • Parent Policy Mapping: STH Cybersecurity & Data Protection Governance Policy, Section 3.2
  • SCF Mapping: GOV-02 (Publishing Security, Compliance & Resilience Documentation)

3.3 Periodic Review & Update of Security Documentation

Section titled “3.3 Periodic Review & Update of Security Documentation”

FRHC formally reviews each information security policy, standard, and procedure at least annually and following any significant change. Each document includes a revision log tracking version, description of change, date, and approving individual. Reviews ensure continued alignment with regulatory requirements, operational changes, and emerging risks.

  • Parent Policy Mapping: STH Cybersecurity & Data Protection Governance Policy, Section 3.3
  • SCF Mapping: GOV-03 (Periodic Review & Update of Security, Compliance & Resilience Program)

FRHC has established the position of Chief Information Security Officer (CISO) to oversee enterprise security and governance. FRHC has additionally designated a Security Officer and a Privacy Officer to meet HIPAA requirements. The CIO performs the role of Security Officer, and corporate counsel performs the role of Privacy Officer. These roles carry defined authority, accountability, and responsibility for the implementation and oversight of the information security and privacy program.

The CIO serves as the designated Responsible Employee for purposes of Massachusetts 201 CMR 17.00. The FRHC information security program documentation constitutes FRHC’s Written Information Security Program (WISP) under 201 CMR 17.00, covering personal information of patients, clients, and employees.

  • Parent Policy Mapping: STH Cybersecurity & Data Protection Governance Policy, Section 3.4
  • SCF Mapping: GOV-04 (Assigned Security, Compliance & Resilience Responsibilities)

FRHC maintains mechanisms to monitor and report on the performance of its information security program. Two annual internal assessments are conducted: a Ransomware Prevention Assessment evaluating defenses against ransomware threats, and a Security Program Assessment providing a comprehensive analysis of the overall security posture. Results are reviewed by leadership to track progress, identify gaps, and drive continuous improvement aligned with organizational and regulatory requirements.

  • Parent Policy Mapping: STH Cybersecurity & Data Protection Governance Policy, Section 3.5
  • SCF Mapping: GOV-05 (Measures of Performance)

In the event of a security incident or data breach, FRHC will engage necessary external authorities and agencies in accordance with its Incident Response Plan. Established contacts with regulatory bodies, law enforcement, and other relevant authorities are documented within the Incident Response policy and are maintained by the Information Security Office.

  • Parent Policy Mapping: STH Cybersecurity & Data Protection Governance Policy, Section 3.6
  • SCF Mapping: GOV-06 (Contacts With Authorities)

The Information Security Office maintains association with entities in the broader information security community to support ongoing education, stay current with recommended practices and technologies, and share threat intelligence. Current affiliations include Avertium, the Center for Internet Security (CIS), the US NCIJTF, US CISA, the SANS Institute, the Secure Controls Framework Organization, and the MS-ISAC.

  • Parent Policy Mapping: STH Cybersecurity & Data Protection Governance Policy, Section 3.7
  • SCF Mapping: GOV-07 (Contacts With Groups & Associations)

FRHC maintains evidence supporting governance program activities, including documentation inventories, review logs, responsibility assignments, and performance metrics. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Cybersecurity & Data Protection Governance Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
    • 45 CFR §164.308(a)(8) – Evaluation
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC1.1, CC1.2)
    • Risk Management (CC3.2)
    • Monitoring (CC4.1)
  • Massachusetts 201 CMR 17.00:
    • §17.03(2)(a) – Designation of an Employee to Maintain the WISP
    • §17.03(2)(j) – Annual Review of Scope of Security Measures

Framework Alignment:

  • GOV-01 – Security, Compliance & Resilience Program (SCRP)
  • GOV-02 – Publishing Security, Compliance & Resilience Documentation
  • GOV-03 – Periodic Review & Update of Security, Compliance & Resilience Program
  • GOV-04 – Assigned Security, Compliance & Resilience Responsibilities
  • GOV-05 – Measures of Performance
  • GOV-06 – Contacts With Authorities
  • GOV-07 – Contacts With Groups & Associations

RevDescriptionDateApproved
-Policy createdNovember 2019M Machin
1.0Update state regulationsOctober 2023M Machin
2.0Formatting & Approved for 2024May 2024WSI
3.0Addition of AAT in 1.2, and update URLs in 1.7; Approved for 2025March 2025M Machin
4.0Converted to StandardApril 2026M Machin
4.1Added annual review requirement (§3.3); added 201 CMR 17.00 and NY SHIELD Act language (§3.4); added regulatory citationsApril 2026M Machin
5.0Reviewed and Approved for 2026May 2026M Machin
5.1Addition of QTS to Domains in 3.1July 2026M Maching

Internal Use Only