Skip to content

Information Assurance Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Information Assurance Policy
Framework Reference: Secure Controls Framework – Information Assurance (IAO)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Information Assurance requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to validate the effectiveness of security controls, conduct assessments, and provide ongoing assurance that FRHC systems operate securely and in compliance with applicable requirements.


This standard applies to all FRHC systems, applications, and services that process, store, or transmit sensitive or regulated data, including ePHI. It extends to third-party services operating under contract with FRHC where assurance activities are required.


FRHC incorporates information assurance into its governance and operational workflows. Security leaders monitor control effectiveness through regular reviews, audits, and key performance indicators. Assurance activities are coordinated between compliance, IT, and security teams and reviewed periodically by senior leadership to support decision-making and corrective action.

  • Parent Policy Mapping: STH Information Assurance Policy, Section 3.1
  • SCF Mapping: IAO-01 (Information Assurance (IA) Operations)

FRHC undergoes an annual SOC 2 Type II audit conducted by an independent third-party audit firm. The audit evaluates the design and operating effectiveness of security controls across the Trust Services Criteria (Security, Availability, and Confidentiality). Results are reviewed by executive leadership and used to guide improvements in risk management and information security strategy.

  • Parent Policy Mapping: STH Information Assurance Policy, Section 3.2
  • SCF Mapping: IAO-02 (Assessments)

FRHC maintains evidence supporting information assurance activities, including SOC 2 audit reports, internal review records, and remediation tracking. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Information Assurance Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
    • 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
    • 45 CFR §164.308(a)(8) – Evaluation
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC4.1, CC4.2)
    • Availability (A1.2)

Framework Alignment:

  • IAO-01 – Information Assurance (IA) Operations
  • IAO-02 – Assessments

RevDescriptionDateApproved
-Policy createdJuly 2021M Machin
1.0Formatting UpdateSeptember 2022WSI
2.0Updated and approved for 2024July 2024WSI
3.0Updated and approved for 2025July 2025M Machin
4.0Converted to StandardApril 2026M Machin
4.1Corrected parent policy mapping references to current section format (Section N → Section 3.x)April 2026M Machin

Internal Use Only