Security & Privacy Governance Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Cybersecurity & Data Protection Governance Policy
Framework Reference: Secure Controls Framework – Governance (GOV)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Cybersecurity & Data Protection Governance requirements established by Summit Technology Holdings, LLC (STH). It documents the governance structures, documentation practices, accountability assignments, and external relationships that constitute FRHC’s information security and privacy governance program.
2. Applicability
Section titled “2. Applicability”This standard applies to all FRHC workforce members, vendors, and clients who are subject to or contribute to the organization’s information security and data privacy governance program. It governs the structure, documentation, oversight, and performance measurement of security and privacy controls across all FRHC systems, applications, and services, including those that process, store, or transmit electronic protected health information (ePHI).
3. Standard
Section titled “3. Standard”3.1 Governance Program
Section titled “3.1 Governance Program”STH maintains an enterprise information security and data privacy governance program that governs all aspects of the business and supporting technologies across its subsidiaries, including LX. The governance program is organized according to the Secure Controls Framework (SCF), with NIST SP 800-53 and the NIST Cybersecurity Framework (CSF) v2.0 providing supplemental guidance.
STH owns and maintains the enterprise policies for each SCF domain. FRHC maintains a corresponding set of subsidiary standards and supporting procedures that implement and adhere to these enterprise policies within FRHC operations.
The information security and data privacy governance program is organized, per the SCF, into the following domains:
| ID | Domain Title | ID | Domain Title |
|---|---|---|---|
| GOV | Cybersecurity & Data Privacy Governance | IRO | Incident Response |
| AAT | Artificial and Autonomous Technologies | IAO | Information Assurance |
| AST | Asset Management | MDM | Mobile Device Management |
| BCD | Business Continuity & Disaster Recovery | NET | Network Security |
| CAP | Capacity & Performance Planning | PES | Physical & Environmental Security |
| CHG | Change Management | PRI | Data Privacy |
| CLD | Cloud Security | QTS | Quantum Security |
| CPL | Compliance | RSK | Risk Management |
| CFG | Configuration Management | SAT | Security Awareness & Training |
| MON | Continuous Monitoring | TDA | Technology Development & Acquisition |
| CRY | Cryptographic Protections | TPM | Third-Party Management |
| DCH | Data Classification & Handling | THR | Threat Management |
| END | Endpoint Security | VPM | Vulnerability & Patch Management |
| HRS | Human Resources Security | WEB | Web Security |
| IAC | Identification & Authentication |
Each SCF domain has a corresponding STH enterprise policy from which applicable requirements are derived. FRHC standards define how those requirements are implemented operationally within FRHC systems, processes, and workflows.
The statutory, regulatory, and contractual compliance requirements that inform and drive the governance program are derived from applicable federal, state, and local laws, as well as contractual obligations. While regulatory compliance is centrally managed by STH, these requirements are directly applicable to and enforced within LX operations.
- Parent Policy Mapping: STH Cybersecurity & Data Protection Governance Policy, Section 3.1
- SCF Mapping: GOV-01 (Security, Compliance & Resilience Program (SCRP))
3.2 Publishing Security Documentation
Section titled “3.2 Publishing Security Documentation”FRHC’s complete set of information security policies, standards, and procedures is established and maintained by the Information Security Office. Documents are published to the FRHC Corporate Library and are available to the entire organization. The library is maintained in a version-controlled repository and kept current through the review and update process described in Section 3.3.
- Parent Policy Mapping: STH Cybersecurity & Data Protection Governance Policy, Section 3.2
- SCF Mapping: GOV-02 (Publishing Security, Compliance & Resilience Documentation)
3.3 Periodic Review & Update of Security Documentation
Section titled “3.3 Periodic Review & Update of Security Documentation”FRHC formally reviews each information security policy, standard, and procedure at least annually and following any significant change. Each document includes a revision log tracking version, description of change, date, and approving individual. Reviews ensure continued alignment with regulatory requirements, operational changes, and emerging risks.
- Parent Policy Mapping: STH Cybersecurity & Data Protection Governance Policy, Section 3.3
- SCF Mapping: GOV-03 (Periodic Review & Update of Security, Compliance & Resilience Program)
3.4 Assigned Security Responsibilities
Section titled “3.4 Assigned Security Responsibilities”FRHC has established the position of Chief Information Security Officer (CISO) to oversee enterprise security and governance. FRHC has additionally designated a Security Officer and a Privacy Officer to meet HIPAA requirements. The CIO performs the role of Security Officer, and corporate counsel performs the role of Privacy Officer. These roles carry defined authority, accountability, and responsibility for the implementation and oversight of the information security and privacy program.
The CIO serves as the designated Responsible Employee for purposes of Massachusetts 201 CMR 17.00. The FRHC information security program documentation constitutes FRHC’s Written Information Security Program (WISP) under 201 CMR 17.00, covering personal information of patients, clients, and employees.
- Parent Policy Mapping: STH Cybersecurity & Data Protection Governance Policy, Section 3.4
- SCF Mapping: GOV-04 (Assigned Security, Compliance & Resilience Responsibilities)
3.5 Measures of Performance
Section titled “3.5 Measures of Performance”FRHC maintains mechanisms to monitor and report on the performance of its information security program. Two annual internal assessments are conducted: a Ransomware Prevention Assessment evaluating defenses against ransomware threats, and a Security Program Assessment providing a comprehensive analysis of the overall security posture. Results are reviewed by leadership to track progress, identify gaps, and drive continuous improvement aligned with organizational and regulatory requirements.
- Parent Policy Mapping: STH Cybersecurity & Data Protection Governance Policy, Section 3.5
- SCF Mapping: GOV-05 (Measures of Performance)
3.6 Contacts With Authorities
Section titled “3.6 Contacts With Authorities”In the event of a security incident or data breach, FRHC will engage necessary external authorities and agencies in accordance with its Incident Response Plan. Established contacts with regulatory bodies, law enforcement, and other relevant authorities are documented within the Incident Response policy and are maintained by the Information Security Office.
- Parent Policy Mapping: STH Cybersecurity & Data Protection Governance Policy, Section 3.6
- SCF Mapping: GOV-06 (Contacts With Authorities)
3.7 Contacts With Groups & Associations
Section titled “3.7 Contacts With Groups & Associations”The Information Security Office maintains association with entities in the broader information security community to support ongoing education, stay current with recommended practices and technologies, and share threat intelligence. Current affiliations include Avertium, the Center for Internet Security (CIS), the US NCIJTF, US CISA, the SANS Institute, the Secure Controls Framework Organization, and the MS-ISAC.
- Parent Policy Mapping: STH Cybersecurity & Data Protection Governance Policy, Section 3.7
- SCF Mapping: GOV-07 (Contacts With Groups & Associations)
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains evidence supporting governance program activities, including documentation inventories, review logs, responsibility assignments, and performance metrics. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Cybersecurity & Data Protection Governance Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
- 45 CFR §164.308(a)(8) – Evaluation
- AICPA SOC 2 Trust Services Criteria:
- Security (CC1.1, CC1.2)
- Risk Management (CC3.2)
- Monitoring (CC4.1)
- Massachusetts 201 CMR 17.00:
- §17.03(2)(a) – Designation of an Employee to Maintain the WISP
- §17.03(2)(j) – Annual Review of Scope of Security Measures
Framework Alignment:
- GOV-01 – Security, Compliance & Resilience Program (SCRP)
- GOV-02 – Publishing Security, Compliance & Resilience Documentation
- GOV-03 – Periodic Review & Update of Security, Compliance & Resilience Program
- GOV-04 – Assigned Security, Compliance & Resilience Responsibilities
- GOV-05 – Measures of Performance
- GOV-06 – Contacts With Authorities
- GOV-07 – Contacts With Groups & Associations
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | November 2019 | M Machin |
| 1.0 | Update state regulations | October 2023 | M Machin |
| 2.0 | Formatting & Approved for 2024 | May 2024 | WSI |
| 3.0 | Addition of AAT in 1.2, and update URLs in 1.7; Approved for 2025 | March 2025 | M Machin |
| 4.0 | Converted to Standard | April 2026 | M Machin |
| 4.1 | Added annual review requirement (§3.3); added 201 CMR 17.00 and NY SHIELD Act language (§3.4); added regulatory citations | April 2026 | M Machin |
| 5.0 | Reviewed and Approved for 2026 | May 2026 | M Machin |
| 5.1 | Addition of QTS to Domains in 3.1 | July 2026 | M Maching |
