Skip to content

Human Resources Security Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Human Resources Security Policy Framework Reference: Secure Controls Framework – Human Resources Security (HRS)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Human Resources Security requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to manage workforce security through the employment lifecycle—from hiring through termination—to ensure appropriate access to systems, assets, data, and facilities.


This standard applies to all FRHC workforce members including employees, partners, contractors, consultants, temporary workers, and third parties with access to FRHC systems, data, or facilities.


STH centrally maintains a Human Resources Security Management program that governs personnel lifecycle activities for FRHC. This program integrates hiring, onboarding, role management, training, and separation activities with enterprise information security requirements.

FRHC relies on STH Human Resources and enterprise leadership to execute these controls and does not maintain independent HR security processes.

  • Parent Policy Mapping: STH Human Resources Security Policy, Section 3.1
  • SCF Mapping: HRS-01 (Human Resources Security Management)

STH classifies positions based on access level, sensitivity, and risk. Positions supportingFRHC operations are categorized centrally by STH, including identification of roles with elevated or privileged access.

FRHC adheres to these classifications and supports STH by providing role context and access requirements as needed.

  • Parent Policy Mapping: STH Human Resources Security Policy, Section 3.2
  • SCF Mapping: HRS-02 (Position Categorization)

Roles and responsibilities, including security and compliance obligations, are defined and maintained by STH. Personnel supportingFRHC acknowledge these responsibilities as part of onboarding and upon role changes.

FRHC does not independently define HR security responsibilities and relies on STH governance.

  • Parent Policy Mapping: STH Human Resources Security Policy, Section 3.3
  • SCF Mapping: HRS-03 (Defined Roles & Responsibilities)

STH performs personnel screening activities for all individuals supporting FRHC, consistent with legal, regulatory, and contractual requirements. Screening activities are completed prior to granting access to systems or sensitive data and are documented centrally.

  • Parent Policy Mapping: STH Human Resources Security Policy, Section 3.4
  • SCF Mapping: HRS-04 (Personnel Screening)

Terms of employment, including confidentiality obligations, acceptable use requirements, and adherence to corporate policies, are defined and enforced by STH. Individuals supportingFRHC formally acknowledge these terms during onboarding and as policies are updated.

  • Parent Policy Mapping: STH Human Resources Security Policy, Section 3.5
  • SCF Mapping: HRS-05 (Terms of Employment)

STH requires all individuals with access toFRHC systems or data to execute appropriate access and confidentiality agreements. These agreements define obligations for proper handling of information during and after employment.

  • Parent Policy Mapping: STH Human Resources Security Policy, Section 3.6
  • SCF Mapping: HRS-06 (Access Agreements)

Violations of security policies, standards, or agreements are addressed through STH’s centralized personnel sanctions process. Disciplinary actions may include warnings, suspension, termination, or legal action, depending on severity.

FRHC escalates personnel-related security issues to STH for handling.

  • Parent Policy Mapping: STH Human Resources Security Policy, Section 3.7
  • SCF Mapping: HRS-07 (Personnel Sanctions)

STH manages personnel transfers affecting FRHC roles. Access rights are reviewed and adjusted centrally to ensure alignment with new responsibilities and to prevent inappropriate access.

  • Parent Policy Mapping: STH Human Resources Security Policy, Section 3.8
  • SCF Mapping: HRS-08 (Personnel Transfer)

STH coordinates personnel termination activities for FRHC, including revocation of system access, retrieval of assets, and enforcement of post-employment obligations. All logical access must be revoked no later than the moment of termination. For involuntary terminations, access revocation must be completed prior to the termination conversation where operationally feasible; physical access to locations where personal information records are stored must be discontinued simultaneously.

  • Parent Policy Mapping: STH Human Resources Security Policy, Section 3.9
  • SCF Mapping: HRS-09 (Personnel Termination)

Separation of duties is enforced through role design and access controls defined by STH. FRHC relies on STH to ensure that no individual has excessive control over critical processes or systems.

  • Parent Policy Mapping: STH Human Resources Security Policy, Section 3.10
  • SCF Mapping: HRS-11 (Separation of Duties (SoD))

FRHC maintains evidence supporting human resources security controls, including screening records, signed agreements, access control change logs, and termination records. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Human Resources Security Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(3) – Workforce Security
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC1.1, CC6.1)
    • Confidentiality (C1.1)
  • Massachusetts 201 CMR 17.00: §17.03(2)(h) – Termination of Access to Personal Information When Employment Ends

Framework Alignment:

  • HRS-02 – Position Categorization
  • HRS-03 – Defined Roles & Responsibilities
  • HRS-04 – Personnel Screening
  • HRS-05 – Terms of Employment
  • HRS-06 – Access Agreements
  • HRS-07 – Personnel Sanctions
  • HRS-08 – Personnel Transfer
  • HRS-09 – Personnel Termination
  • HRS-11 – Separation of Duties (SoD)

RevDescriptionDateApproved
-Policy createdJuly 2021M Machin
1.0Formatting UpdateSeptember 2022WSI
2.0Updated and approved for 2024July 2024WSI
3.0Updated and approved for 2025July 2025M Machin
4.0Converted to StandardApril 2026M Machin
4.1Strengthened termination access revocation timing (§3.8); added 201 CMR 17.00 §17.03(2)(h) citationApril 2026M Machin
5.0Updated and approved for 2026July 2026M Machin

Internal Use Only