Skip to content

Continuous Monitoring Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Continuous Monitoring Policy
Framework Reference: Secure Controls Framework – Monitoring (MON)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Continuous Monitoring requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to maintain ongoing situational awareness across FRHC’s enterprise infrastructure through centralized log collection, real-time analysis, and detection of anomalous activity.


This standard applies to all systems, networks, applications, and cloud services managed by FRHC. It covers both production and non-production environments where sensitive or regulated data, including ePHI, is processed, stored, or transmitted. Monitoring applies to on-premises infrastructure at the Evocative datacenter as well as cloud resources in Azure and AWS.


FRHC maintains a continuous monitoring program that covers internet traffic, email traffic, LAN traffic and protocols, operating system security parameters, and application activity. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are deployed on critical systems and key network segments with automatic and continuous definition updates and email-based alerting to IT staff. A Security Information and Event Management (SIEM) solution provides near real-time log analysis and event correlation using built-in rules and AI-assisted detection. Network appliances, firewalls, and the WAF continuously monitor bidirectional communications for anomalies, with all logs forwarded to the SIEM. A File Integrity Monitor (FIM) is deployed on all servers to detect unauthorized modifications to operating system files, registry keys, and sensitive file types, with alerts generated for suspicious activity.

  • Parent Policy Mapping: STH Continuous Monitoring Policy, Section 3.1
  • SCF Mapping: MON-01 (Continuous Monitoring)

3.2 Centralized Collection of Security Event Logs

Section titled “3.2 Centralized Collection of Security Event Logs”

All physical devices capable of generating syslog data are configured to forward logs to a syslog server, which in turn forwards to the SIEM. This includes network routers, firewalls, switches, storage devices, physical servers, VMware infrastructure, guest virtual machines, and cloud assets. Windows-based systems use a monitoring agent to capture Security, Application, and System event logs. The SIEM uses built-in correlation rules and machine learning to analyze all collected log data. Access to event log data is restricted to system administrators via role-based access controls. System-related event logs are retained for one year within the SIEM; application event logs for PatientRemedi and Credit Balance are retained indefinitely within their respective databases.

  • Parent Policy Mapping: STH Continuous Monitoring Policy, Section 3.2
  • SCF Mapping: MON-02 (Centralized Collection of Security Event Logs)

Audit records capture, at minimum, the event, time of occurrence, source, outcome, and the user or system associated with the event. For Windows-based systems, these settings are defined in Group Policy Objects for all Active Directory domains. All systems derive their time from an authoritative NTP source. Core switches synchronize with NTP.ORG and all other compute, storage, and network devices synchronize from the core switches, ensuring consistent timestamps across all audit records.

  • Parent Policy Mapping: STH Continuous Monitoring Policy, Section 3.3
  • SCF Mapping: MON-07 (Time Stamps)

The SIEM monitors, alerts, and responds to anomalous behavior detected on FRHC’s network and systems. Alert notifications are sent to IT staff for analysis and response in accordance with established incident response policies and procedures. All security incidents, regardless of identifying source, are addressed using established incident response procedures.

  • Parent Policy Mapping: STH Continuous Monitoring Policy, Section 3.4
  • SCF Mapping: MON-16 (Anomalous Behavior)

3.5 Privileged & Emergency Account Monitoring

Section titled “3.5 Privileged & Emergency Account Monitoring”

FRHC applies enhanced monitoring to privileged accounts, including administrators, service accounts with elevated rights, and emergency access accounts. Privileged account monitoring includes alerting on successful and failed sign-in attempts, authentication method changes, role assignment changes, and modifications to access control group membership. All such alerts are routed to the SIEM and generate notifications to designated security personnel.

Emergency access (break-glass) accounts are subject to a dedicated monitoring configuration. Any activity associated with an emergency access account — including successful sign-in, failed sign-in attempts, authentication method changes, role assignment changes, Conditional Access exclusion group membership changes, and password changes — is treated as a high-severity event requiring immediate review. Alerts are generated automatically and routed to all authorized custodians without delay. The emergency access account has no permissions on the Log Analytics workspace or SIEM and cannot modify or delete its own audit logs.

  • Parent Policy Mapping: STH Continuous Monitoring Policy, Section 3.5
  • SCF Mapping: MON-02 (Centralized Collection of Security Event Logs), MON-16 (Anomalous Behavior)

FRHC maintains evidence supporting continuous monitoring controls, including SIEM configurations, IDS/IPS settings, FIM reports, alert logs, and event log retention records. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Continuous Monitoring Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(1)(ii)(D) – Information System Activity Review
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC7.2, CC7.3, CC7.4)
    • Availability (A1.2)
  • New York SHIELD Act: GBL §899-bb(2)(b)(ii) (Technical Safeguards — Detect, Prevent, and Respond to Attacks or System Failures; Regularly Test and Monitor Effectiveness of Key Controls)

Framework Alignment:

  • MON-01 – Continuous Monitoring
  • MON-02 – Centralized Collection of Security Event Logs
  • MON-07 – Time Stamps
  • MON-16 – Anomalous Behavior

RevDescriptionDateApproved
-Policy createdDecember 2019M Machin
1.0Formatting UpdateSeptember 2022WSI
1.1Policy updated and approved for 2024May 2024WSI
2.0Converted to StandardApril 2026M Machin
2.1Addition of Section 3.5 for privileged & emergency account monitoringApril 2026M Machin
2.2Added NY SHIELD Act citationApril 2026M Machin

Internal Use Only