Skip to content

Incident Response Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Incident Response Policy
Framework Reference: Secure Controls Framework – Incident Response (IRO)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Incident Response requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to identify, report, assess, respond to, and recover from security and privacy incidents to minimize impact, meet regulatory obligations, and capture lessons learned.


This standard applies to all FRHC systems, applications, personnel, and facilities subject to cybersecurity or data privacy incidents. It covers incidents affecting systems that process, store, or transmit ePHI, as well as any event that could impact the confidentiality, integrity, or availability of FRHC operations or client data.


FRHC maintains comprehensive incident response procedures that cover diverse incident types, guiding the response process from identification through remediation and resolution. These procedures are integrated with FRHC’s broader business continuity and disaster recovery framework. All security incidents—regardless of identifying source—are addressed using established incident response policies and procedures.

  • Parent Policy Mapping: STH Incident Response Policy, Section 3.1
  • SCF Mapping: IRO-01 (Incident Response Operations), IRO-02 (Incident Handling)

FRHC maintains a documented Incident Response Plan (IRP) that includes processes for responding to incidents, notifying stakeholders, and conducting post-incident evaluations. The IRP, along with the Breach Notification Plan and associated procedures, are reviewed annually and updated based on changes in the business environment or outcomes of testing. The IRP is made available to all relevant stakeholders.

  • Parent Policy Mapping: STH Incident Response Policy, Section 3.3
  • SCF Mapping: IRO-04 (Incident Response Plan (IRP))

FRHC conducts formal incident response tests annually. Outcomes are reviewed in Computer Security Team (CST) meetings, and findings are incorporated into plan improvements. Real-world incidents may serve as tests when they sufficiently exercise the IRP’s scope.

  • Parent Policy Mapping: STH Incident Response Policy, Section 3.4
  • SCF Mapping: IRO-06 (Incident Response Testing)

3.4 Integrated Security Incident Response Team

Section titled “3.4 Integrated Security Incident Response Team”

FRHC’s Computer Security Team (CST) serves as the integrated incident response team. The CST includes representatives from IT, Application Development, Business Operations, and Executive Leadership, and is led by the CISO. The CST meets monthly to review incidents and broader security matters.

  • Parent Policy Mapping: STH Incident Response Policy, Section 3.5
  • SCF Mapping: IRO-07 (Integrated Security Incident Response Team (ISIRT))

The CISO is responsible for preserving and documenting the chain of custody for digital and physical evidence during security incidents. A formal Chain of Custody Form (found in Appendix A of the IRP) is completed and retained indefinitely when affected systems or devices are transferred to third parties for analysis.

  • Parent Policy Mapping: STH Incident Response Policy, Section 3.6
  • SCF Mapping: IRO-08 (Chain of Custody & Forensics)

FRHC immediately notifies appropriate internal stakeholders when an incident occurs and keeps them updated throughout the incident lifecycle. Stakeholders may be involved in the response process as needed to ensure coordinated situational awareness.

  • Parent Policy Mapping: STH Incident Response Policy, Section 3.7
  • SCF Mapping: IRO-09 (Situational Awareness For Incidents)

Incidents are immediately reported to the President/CEO, CISO, and CST. External reporting to clients, regulators, and third parties — including breach notification for incidents involving ePHI — is governed by the STH Breach Notification Procedure. Unless otherwise required by contract, external notifications occur within 48 hours of incident detection, subject to adjustment by the President/CEO. Supply chain participants involved in the incident are notified promptly, and collaborative remediation is pursued.


Each incident is followed by a documented root cause analysis and lessons-learned summary. This includes cause identification, corrective action planning, and recommendations for preventing or more efficiently handling future events. The analysis is captured in the final incident report.

  • Parent Policy Mapping: STH Incident Response Policy, Section 3.9
  • SCF Mapping: IRO-13 (Root Cause Analysis (RCA) & Lessons Learned)

FRHC maintains established reporting contacts with applicable regulatory and law enforcement entities, including: FBI Boston Field Office, FBI IC3, CISA, the National Cyber Investigative Joint Task Force (CyWatch), HHS Breach Notification Portal, and the Massachusetts Office of Consumer Affairs. These contacts are reviewed periodically and engaged when applicable during incident handling.

  • Parent Policy Mapping: STH Incident Response Policy, Section 3.10
  • SCF Mapping: IRO-14 (Regulatory & Law Enforcement Contacts)

FRHC maintains evidence supporting incident response controls, including the IRP, incident logs, test records, chain of custody documentation, stakeholder notification records, and root cause analyses. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Incident Response Policy

STH Procedures:

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(6)(ii) – Security Incident Procedures
    • 45 CFR §164.400–414 – Breach Notification Requirements
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC7.4, CC7.5)
    • Availability (A1.2)

Framework Alignment:

  • IRO-01 – Incident Response Operations
  • IRO-02 – Incident Handling
  • IRO-04 – Incident Response Plan (IRP)
  • IRO-04.1 – Data Breach
  • IRO-06 – Incident Response Testing
  • IRO-07 – Integrated Security Incident Response Team (ISIRT)
  • IRO-08 – Chain of Custody & Forensics
  • IRO-09 – Situational Awareness For Incidents
  • IRO-10 – Incident Stakeholder Reporting
  • IRO-10.2 – Cyber Incident Reporting for Sensitive Data
  • IRO-13 – Root Cause Analysis (RCA) & Lessons Learned
  • IRO-14 – Regulatory & Law Enforcement Contacts

RevDescriptionDateApproved
-Policy createdJune 2021M Machin
1.0General update/reviewOctober 2023M Machin
2.0Updated and approved for 2024July 2024WSI
3.0Updated and approved for 2025July 2025M Machin
4.0Converted to StandardApril 2026M Machin
4.1Added reference to STH Breach Notification Procedure; updated IRO-04.1 and IRO-10.2 mappingsApril 2026M Machin
4.2Corrected parent policy mapping references to current section format (Section N → Section 3.x)April 2026M Machin

Internal Use Only