Information Assurance Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Information Assurance Policy
Framework Reference: Secure Controls Framework – Information Assurance (IAO)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Information Assurance requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to validate the effectiveness of security controls, conduct assessments, and provide ongoing assurance that FRHC systems operate securely and in compliance with applicable requirements.
2. Applicability
Section titled “2. Applicability”This standard applies to all FRHC systems, applications, and services that process, store, or transmit sensitive or regulated data, including ePHI. It extends to third-party services operating under contract with FRHC where assurance activities are required.
3. Standard
Section titled “3. Standard”3.1 Information Assurance Operations
Section titled “3.1 Information Assurance Operations”FRHC incorporates information assurance into its governance and operational workflows. Security leaders monitor control effectiveness through regular reviews, audits, and key performance indicators. Assurance activities are coordinated between compliance, IT, and security teams and reviewed periodically by senior leadership to support decision-making and corrective action.
- Parent Policy Mapping: STH Information Assurance Policy, Section 3.1
- SCF Mapping: IAO-01 (Information Assurance (IA) Operations)
3.2 Assessments
Section titled “3.2 Assessments”FRHC undergoes an annual SOC 2 Type II audit conducted by an independent third-party audit firm. The audit evaluates the design and operating effectiveness of security controls across the Trust Services Criteria (Security, Availability, and Confidentiality). Results are reviewed by executive leadership and used to guide improvements in risk management and information security strategy.
- Parent Policy Mapping: STH Information Assurance Policy, Section 3.2
- SCF Mapping: IAO-02 (Assessments)
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains evidence supporting information assurance activities, including SOC 2 audit reports, internal review records, and remediation tracking. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Information Assurance Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
- 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
- 45 CFR §164.308(a)(8) – Evaluation
- AICPA SOC 2 Trust Services Criteria:
- Security (CC4.1, CC4.2)
- Availability (A1.2)
Framework Alignment:
- IAO-01 – Information Assurance (IA) Operations
- IAO-02 – Assessments
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | July 2021 | M Machin |
| 1.0 | Formatting Update | September 2022 | WSI |
| 2.0 | Updated and approved for 2024 | July 2024 | WSI |
| 3.0 | Updated and approved for 2025 | July 2025 | M Machin |
| 4.0 | Converted to Standard | April 2026 | M Machin |
| 4.1 | Corrected parent policy mapping references to current section format (Section N → Section 3.x) | April 2026 | M Machin |
