Capacity & Performance Planning Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Capacity & Performance Planning Policy
Framework Reference: Secure Controls Framework – Capacity & Performance Planning (CAP)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Capacity & Performance Planning requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to monitor and manage IT system capacity and performance to ensure stable, scalable, and resilient operations.
2. Applicability
Section titled “2. Applicability”This standard applies to all information systems, applications, databases, infrastructure, and cloud services operated by FRHC, including on-premises systems at the Evocative datacenter and cloud resources in Azure and AWS. It covers all environments supporting FRHC’s operations, including those that process, store, or transmit ePHI.
3. Standard
Section titled “3. Standard”3.1 Capacity & Performance Management
Section titled “3.1 Capacity & Performance Management”FRHC monitors capacity across all infrastructure components—including CPU, memory, storage, and network—using tools such as Site24x7 and VMware. Historical trends are analyzed to inform future upgrades, application scaling, and infrastructure planning. Regular reviews by the Technology team ensure capacity keeps pace with business requirements and service-level objectives.
- Parent Policy Mapping: STH Capacity & Performance Planning Policy, Section 3.1
- SCF Mapping: CAP-01 (Capacity & Performance Management)
3.2 Resource Priority
Section titled “3.2 Resource Priority”FRHC uses VMware resource pools to allocate computing resources, giving priority to production systems over non-critical environments such as test and development. Network security appliances include DoS protection and traffic-shaping capabilities to protect bandwidth and compute resources during potential overloads, ensuring essential services—including those supporting ePHI—remain accessible and performant.
- Parent Policy Mapping: STH Capacity & Performance Planning Policy, Section 3.2
- SCF Mapping: CAP-02 (Resource Priority)
3.3 Capacity Planning
Section titled “3.3 Capacity Planning”Capacity planning at FRHC includes evaluation of systems needed to support continuity operations and potential failover workloads. Infrastructure sizing accounts for the resource requirements of redundant or backup systems. Disaster recovery infrastructure is reviewed during annual business continuity tests to validate it can adequately support contingency demands.
- Parent Policy Mapping: STH Capacity & Performance Planning Policy, Section 3.3
- SCF Mapping: CAP-03 (Capacity Planning)
3.4 Performance Monitoring
Section titled “3.4 Performance Monitoring”FRHC uses Site24x7 to monitor application and infrastructure health across cloud and on-premises environments. Alerts are configured for key performance indicators including CPU load, memory usage, and system availability. Monitoring data is retained to support forensic investigations and capacity trend analysis.
- Parent Policy Mapping: STH Capacity & Performance Planning Policy, Section 3.4
- SCF Mapping: CAP-04 (Performance Monitoring)
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains evidence supporting capacity and performance controls, including monitoring configurations, alert logs, performance baselines, and capacity planning documentation. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Capacity & Performance Planning Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
- AICPA SOC 2 Trust Services Criteria:
- Availability (A1.2, A1.3)
- Security (CC7.2)
Framework Alignment:
- CAP-01 – Capacity & Performance Management
- CAP-02 – Resource Priority
- CAP-03 – Capacity Planning
- CAP-04 – Performance Monitoring
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | December 2020 | M Machin |
| 1.0 | Formatting Update | September 2022 | WSI |
| 1.1 | Updated and approved for 2024 | May 2024 | WSI |
| 2.0 | Updated and approved for 2025 | July 2025 | M Machin |
| 3.0 | Converted to Standard | April 2026 | M Machin |
| 3.1 | Corrected parent policy mapping references to current section format (Section N → Section 3.x) | April 2026 | M Machin |
