Skip to content

Asset Management Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Asset Management Policy
Framework Reference: Secure Controls Framework – Asset Management (AST)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Asset Management requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to identify, classify, protect, and dispose of technology assets throughout their lifecycle.


This standard applies to all technology assets owned, leased, or otherwise controlled by FRHC, including hardware (servers, workstations, laptops, mobile devices, networking equipment), software (operating systems, applications, databases, licenses), cloud resources (Azure and AWS subscriptions, virtual machines), and data-bearing media. It applies across all environments that support FRHC’s business applications, including PatientRemedi and Credit Balance.


FRHC operates a formal IT Asset Management (ITAM) program centrally managed by the Technology team and integrated into major operational workflows. The program defines roles, responsibilities, and processes for asset acquisition, classification, protection, and lifecycle management. Asset governance policies are reviewed regularly and are tied to FRHC’s broader information security and compliance strategies.

  • Parent Policy Mapping: STH Asset Management Policy, Section 3.1
  • SCF Mapping: AST-01 (Asset Governance)

FRHC maintains a centralized inventory of all enterprise assets, including physical devices, virtual machines, and software licenses. Each record includes the serial number, location, owner, classification (including ePHI sensitivity), and lifecycle status. A barcoded asset ID label is affixed to each trackable physical device; this barcode serves as the primary identifier in the asset management system. Software assets are also tracked within the platform, including product name, license count, license type, and employee or system assignments to ensure license compliance and support lifecycle management. Inventory reviews are conducted annually or upon significant changes.

  • Parent Policy Mapping: STH Asset Management Policy, Section 3.2
  • SCF Mapping: AST-02 (Asset Inventories)

Each asset in FRHC’s environment is associated with a team or individual owner during onboarding. Owners are responsible for applying the appropriate data classification, ensuring required controls are enforced (e.g., patching, encryption), and coordinating secure decommissioning when the asset reaches end-of-life. Ownership is documented in the centralized inventory and reviewed whenever changes occur.

  • Parent Policy Mapping: STH Asset Management Policy, Section 3.3
  • SCF Mapping: AST-03 (Asset Ownership Assignment)

3.4 Network Diagrams & Data Flow Documentation

Section titled “3.4 Network Diagrams & Data Flow Documentation”

FRHC maintains detailed network architecture diagrams and data flow documentation that map application components, systems, and interfaces where sensitive or regulated data (including ePHI) flows. These diagrams are stored in a restricted corporate IT repository and reviewed annually or upon significant infrastructure changes to ensure security assessments remain current.

  • Parent Policy Mapping: STH Asset Management Policy, Section 3.4
  • SCF Mapping: AST-04 (Network Diagrams & Data Flow Diagrams (DFDs))

FRHC uses NIST-compliant techniques for data destruction prior to disposing of any physical asset, including overwriting, degaussing, or physical destruction of media where appropriate. Disposal events are documented and conducted by authorized personnel or contracted certified disposal services.

  • Parent Policy Mapping: STH Asset Management Policy, Section 3.5
  • SCF Mapping: AST-09 (Secure Disposal, Destruction or Re-Use of Equipment)

FRHC includes asset return requirements in employee offboarding and vendor termination processes. Laptops, mobile devices, and all issued equipment must be returned before access is disabled. Returned equipment is logged, inspected, and prepared for secure redeployment or decommissioning.

  • Parent Policy Mapping: STH Asset Management Policy, Section 3.6
  • SCF Mapping: AST-10 (Return of Assets)

FRHC maintains evidence supporting asset management controls, including inventory reports, ownership records, network diagrams, disposal documentation, and asset return logs. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Asset Management Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.310(d)(1) – Device and Media Controls
    • 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC6)
    • Confidentiality (C1)

Framework Alignment:

  • AST-01 – Asset Governance
  • AST-02 – Asset Inventories
  • AST-03 – Asset Ownership Assignment
  • AST-04 – Network Diagrams & Data Flow Diagrams (DFDs)
  • AST-09 – Secure Disposal, Destruction or Re-Use of Equipment
  • AST-10 – Return of Assets

RevDescriptionDateApproved
-Policy createdJuly 2020M Machin
1.0UpdatedOctober 2023M Machin
2.0Formatting & Approved for 2024May 2024WSI
3.0Approved for 2025July 2025M Machin
4.0Converted to StandardApril 2026M Machin
4.1Corrected parent policy mapping references to current section format (Section N → Section 3.x)April 2026M Machin

Internal Use Only