Human Resources Security Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Human Resources Security Policy
Framework Reference: Secure Controls Framework – Human Resources Security (HRS)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Human Resources Security requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to manage workforce security through the employment lifecycle—from hiring through termination—to ensure appropriate access to systems, assets, data, and facilities.
2. Applicability
Section titled “2. Applicability”This standard applies to all FRHC workforce members including employees, partners, contractors, consultants, temporary workers, and third parties with access to FRHC systems, data, or facilities.
3. Standard
Section titled “3. Standard”3.1 Human Resources Security Management
Section titled “3.1 Human Resources Security Management”STH centrally maintains a Human Resources Security Management program that governs personnel lifecycle activities for FRHC. This program integrates hiring, onboarding, role management, training, and separation activities with enterprise information security requirements.
FRHC relies on STH Human Resources and enterprise leadership to execute these controls and does not maintain independent HR security processes.
- Parent Policy Mapping: STH Human Resources Security Policy, Section 3.1
- SCF Mapping: HRS-01 (Human Resources Security Management)
3.2 Position Categorization
Section titled “3.2 Position Categorization”STH classifies positions based on access level, sensitivity, and risk. Positions supportingFRHC operations are categorized centrally by STH, including identification of roles with elevated or privileged access.
FRHC adheres to these classifications and supports STH by providing role context and access requirements as needed.
- Parent Policy Mapping: STH Human Resources Security Policy, Section 3.2
- SCF Mapping: HRS-02 (Position Categorization)
3.3 Defined Roles & Responsibilities
Section titled “3.3 Defined Roles & Responsibilities”Roles and responsibilities, including security and compliance obligations, are defined and maintained by STH. Personnel supportingFRHC acknowledge these responsibilities as part of onboarding and upon role changes.
FRHC does not independently define HR security responsibilities and relies on STH governance.
- Parent Policy Mapping: STH Human Resources Security Policy, Section 3.3
- SCF Mapping: HRS-03 (Defined Roles & Responsibilities)
3.4 Personnel Screening
Section titled “3.4 Personnel Screening”STH performs personnel screening activities for all individuals supporting FRHC, consistent with legal, regulatory, and contractual requirements. Screening activities are completed prior to granting access to systems or sensitive data and are documented centrally.
- Parent Policy Mapping: STH Human Resources Security Policy, Section 3.4
- SCF Mapping: HRS-04 (Personnel Screening)
3.5 Terms of Employment
Section titled “3.5 Terms of Employment”Terms of employment, including confidentiality obligations, acceptable use requirements, and adherence to corporate policies, are defined and enforced by STH. Individuals supportingFRHC formally acknowledge these terms during onboarding and as policies are updated.
- Parent Policy Mapping: STH Human Resources Security Policy, Section 3.5
- SCF Mapping: HRS-05 (Terms of Employment)
3.6 Access Agreements
Section titled “3.6 Access Agreements”STH requires all individuals with access toFRHC systems or data to execute appropriate access and confidentiality agreements. These agreements define obligations for proper handling of information during and after employment.
- Parent Policy Mapping: STH Human Resources Security Policy, Section 3.6
- SCF Mapping: HRS-06 (Access Agreements)
3.7 Personnel Sanctions
Section titled “3.7 Personnel Sanctions”Violations of security policies, standards, or agreements are addressed through STH’s centralized personnel sanctions process. Disciplinary actions may include warnings, suspension, termination, or legal action, depending on severity.
FRHC escalates personnel-related security issues to STH for handling.
- Parent Policy Mapping: STH Human Resources Security Policy, Section 3.7
- SCF Mapping: HRS-07 (Personnel Sanctions)
3.8 Personnel Transfer
Section titled “3.8 Personnel Transfer”STH manages personnel transfers affecting FRHC roles. Access rights are reviewed and adjusted centrally to ensure alignment with new responsibilities and to prevent inappropriate access.
- Parent Policy Mapping: STH Human Resources Security Policy, Section 3.8
- SCF Mapping: HRS-08 (Personnel Transfer)
3.9 Personnel Termination
Section titled “3.9 Personnel Termination”STH coordinates personnel termination activities for FRHC, including revocation of system access, retrieval of assets, and enforcement of post-employment obligations. All logical access must be revoked no later than the moment of termination. For involuntary terminations, access revocation must be completed prior to the termination conversation where operationally feasible; physical access to locations where personal information records are stored must be discontinued simultaneously.
- Parent Policy Mapping: STH Human Resources Security Policy, Section 3.9
- SCF Mapping: HRS-09 (Personnel Termination)
3.10 Separation of Duties
Section titled “3.10 Separation of Duties”Separation of duties is enforced through role design and access controls defined by STH. FRHC relies on STH to ensure that no individual has excessive control over critical processes or systems.
- Parent Policy Mapping: STH Human Resources Security Policy, Section 3.10
- SCF Mapping: HRS-11 (Separation of Duties (SoD))
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains evidence supporting human resources security controls, including screening records, signed agreements, access control change logs, and termination records. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Human Resources Security Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.308(a)(3) – Workforce Security
- AICPA SOC 2 Trust Services Criteria:
- Security (CC1.1, CC6.1)
- Confidentiality (C1.1)
- Massachusetts 201 CMR 17.00: §17.03(2)(h) – Termination of Access to Personal Information When Employment Ends
Framework Alignment:
- HRS-02 – Position Categorization
- HRS-03 – Defined Roles & Responsibilities
- HRS-04 – Personnel Screening
- HRS-05 – Terms of Employment
- HRS-06 – Access Agreements
- HRS-07 – Personnel Sanctions
- HRS-08 – Personnel Transfer
- HRS-09 – Personnel Termination
- HRS-11 – Separation of Duties (SoD)
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | July 2021 | M Machin |
| 1.0 | Formatting Update | September 2022 | WSI |
| 2.0 | Updated and approved for 2024 | July 2024 | WSI |
| 3.0 | Updated and approved for 2025 | July 2025 | M Machin |
| 4.0 | Converted to Standard | April 2026 | M Machin |
| 4.1 | Strengthened termination access revocation timing (§3.8); added 201 CMR 17.00 §17.03(2)(h) citation | April 2026 | M Machin |
| 5.0 | Updated and approved for 2026 | July 2026 | M Machin |
