Incident Response Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Incident Response Policy
Framework Reference: Secure Controls Framework – Incident Response (IRO)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Incident Response requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to identify, report, assess, respond to, and recover from security and privacy incidents to minimize impact, meet regulatory obligations, and capture lessons learned.
2. Applicability
Section titled “2. Applicability”This standard applies to all FRHC systems, applications, personnel, and facilities subject to cybersecurity or data privacy incidents. It covers incidents affecting systems that process, store, or transmit ePHI, as well as any event that could impact the confidentiality, integrity, or availability of FRHC operations or client data.
3. Standard
Section titled “3. Standard”3.1 Incident Response Operations
Section titled “3.1 Incident Response Operations”FRHC maintains comprehensive incident response procedures that cover diverse incident types, guiding the response process from identification through remediation and resolution. These procedures are integrated with FRHC’s broader business continuity and disaster recovery framework. All security incidents—regardless of identifying source—are addressed using established incident response policies and procedures.
- Parent Policy Mapping: STH Incident Response Policy, Section 3.1
- SCF Mapping: IRO-01 (Incident Response Operations), IRO-02 (Incident Handling)
3.2 Incident Response Plan
Section titled “3.2 Incident Response Plan”FRHC maintains a documented Incident Response Plan (IRP) that includes processes for responding to incidents, notifying stakeholders, and conducting post-incident evaluations. The IRP, along with the Breach Notification Plan and associated procedures, are reviewed annually and updated based on changes in the business environment or outcomes of testing. The IRP is made available to all relevant stakeholders.
- Parent Policy Mapping: STH Incident Response Policy, Section 3.3
- SCF Mapping: IRO-04 (Incident Response Plan (IRP))
3.3 Incident Response Testing
Section titled “3.3 Incident Response Testing”FRHC conducts formal incident response tests annually. Outcomes are reviewed in Computer Security Team (CST) meetings, and findings are incorporated into plan improvements. Real-world incidents may serve as tests when they sufficiently exercise the IRP’s scope.
- Parent Policy Mapping: STH Incident Response Policy, Section 3.4
- SCF Mapping: IRO-06 (Incident Response Testing)
3.4 Integrated Security Incident Response Team
Section titled “3.4 Integrated Security Incident Response Team”FRHC’s Computer Security Team (CST) serves as the integrated incident response team. The CST includes representatives from IT, Application Development, Business Operations, and Executive Leadership, and is led by the CISO. The CST meets monthly to review incidents and broader security matters.
- Parent Policy Mapping: STH Incident Response Policy, Section 3.5
- SCF Mapping: IRO-07 (Integrated Security Incident Response Team (ISIRT))
3.5 Chain of Custody & Forensics
Section titled “3.5 Chain of Custody & Forensics”The CISO is responsible for preserving and documenting the chain of custody for digital and physical evidence during security incidents. A formal Chain of Custody Form (found in Appendix A of the IRP) is completed and retained indefinitely when affected systems or devices are transferred to third parties for analysis.
- Parent Policy Mapping: STH Incident Response Policy, Section 3.6
- SCF Mapping: IRO-08 (Chain of Custody & Forensics)
3.6 Situational Awareness for Incidents
Section titled “3.6 Situational Awareness for Incidents”FRHC immediately notifies appropriate internal stakeholders when an incident occurs and keeps them updated throughout the incident lifecycle. Stakeholders may be involved in the response process as needed to ensure coordinated situational awareness.
- Parent Policy Mapping: STH Incident Response Policy, Section 3.7
- SCF Mapping: IRO-09 (Situational Awareness For Incidents)
3.7 Incident Stakeholder Reporting
Section titled “3.7 Incident Stakeholder Reporting”Incidents are immediately reported to the President/CEO, CISO, and CST. External reporting to clients, regulators, and third parties — including breach notification for incidents involving ePHI — is governed by the STH Breach Notification Procedure. Unless otherwise required by contract, external notifications occur within 48 hours of incident detection, subject to adjustment by the President/CEO. Supply chain participants involved in the incident are notified promptly, and collaborative remediation is pursued.
- Parent Policy Mapping: STH Incident Response Policy, Section 3.8
- STH Procedure: Summit Technology Holdings – Breach Notification Procedure
- SCF Mapping: IRO-10 (Incident Stakeholder Reporting), IRO-10.2 (Cyber Incident Reporting for Sensitive Data), IRO-04.1 (Data Breach)
3.8 Root Cause Analysis & Lessons Learned
Section titled “3.8 Root Cause Analysis & Lessons Learned”Each incident is followed by a documented root cause analysis and lessons-learned summary. This includes cause identification, corrective action planning, and recommendations for preventing or more efficiently handling future events. The analysis is captured in the final incident report.
- Parent Policy Mapping: STH Incident Response Policy, Section 3.9
- SCF Mapping: IRO-13 (Root Cause Analysis (RCA) & Lessons Learned)
3.9 Regulatory & Law Enforcement Contacts
Section titled “3.9 Regulatory & Law Enforcement Contacts”FRHC maintains established reporting contacts with applicable regulatory and law enforcement entities, including: FBI Boston Field Office, FBI IC3, CISA, the National Cyber Investigative Joint Task Force (CyWatch), HHS Breach Notification Portal, and the Massachusetts Office of Consumer Affairs. These contacts are reviewed periodically and engaged when applicable during incident handling.
- Parent Policy Mapping: STH Incident Response Policy, Section 3.10
- SCF Mapping: IRO-14 (Regulatory & Law Enforcement Contacts)
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains evidence supporting incident response controls, including the IRP, incident logs, test records, chain of custody documentation, stakeholder notification records, and root cause analyses. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Incident Response Policy
STH Procedures:
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.308(a)(6)(ii) – Security Incident Procedures
- 45 CFR §164.400–414 – Breach Notification Requirements
- AICPA SOC 2 Trust Services Criteria:
- Security (CC7.4, CC7.5)
- Availability (A1.2)
Framework Alignment:
- IRO-01 – Incident Response Operations
- IRO-02 – Incident Handling
- IRO-04 – Incident Response Plan (IRP)
- IRO-04.1 – Data Breach
- IRO-06 – Incident Response Testing
- IRO-07 – Integrated Security Incident Response Team (ISIRT)
- IRO-08 – Chain of Custody & Forensics
- IRO-09 – Situational Awareness For Incidents
- IRO-10 – Incident Stakeholder Reporting
- IRO-10.2 – Cyber Incident Reporting for Sensitive Data
- IRO-13 – Root Cause Analysis (RCA) & Lessons Learned
- IRO-14 – Regulatory & Law Enforcement Contacts
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | June 2021 | M Machin |
| 1.0 | General update/review | October 2023 | M Machin |
| 2.0 | Updated and approved for 2024 | July 2024 | WSI |
| 3.0 | Updated and approved for 2025 | July 2025 | M Machin |
| 4.0 | Converted to Standard | April 2026 | M Machin |
| 4.1 | Added reference to STH Breach Notification Procedure; updated IRO-04.1 and IRO-10.2 mappings | April 2026 | M Machin |
| 4.2 | Corrected parent policy mapping references to current section format (Section N → Section 3.x) | April 2026 | M Machin |
