Skip to content

Security Awareness & Training Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Security Awareness & Training Policy
Framework Reference: Secure Controls Framework – Security Awareness & Training (SAT)


This standard defines how FrontRunnerHC (FRHC) participates in and supports the enterprise-wide Security Awareness & Training program managed centrally by Summit Technology Holdings, LLC (STH). Security awareness and training for FRHC personnel is provided by STH and is not independently developed at the subsidiary level. This standard documents FRHC’s obligations and compliance approach.


This standard applies to all FRHC employees, contractors, and third-party personnel who have access to FRHC systems, applications, or sensitive information, including ePHI.


3.1 Cybersecurity & Data Privacy-Minded Workforce

Section titled “3.1 Cybersecurity & Data Privacy-Minded Workforce”

FRHC supports STH’s enterprise objective of building a security-aware workforce. FRHC leadership reinforces a culture of security and privacy awareness in onboarding, team communications, and day-to-day operations. FRHC managers are responsible for ensuring their teams understand their individual obligations under FRHC’s security and privacy policies.

  • Parent Policy Mapping: STH Security Awareness & Training Policy, Section 3.1
  • SCF Mapping: SAT-01 (Security, Compliance & Resilience-Minded Workforce)

All FRHC employees, contractors, and applicable third-party personnel complete cybersecurity and data privacy awareness training through STH’s centrally managed training platform. Training is required at hire and at least annually thereafter. Topics include phishing and social engineering, secure data handling, password management, HIPAA awareness, and reporting suspicious activity. Training content is maintained and updated by STH to reflect evolving threats and regulatory requirements.

  • Parent Policy Mapping: STH Security Awareness & Training Policy, Section 3.2
  • SCF Mapping: SAT-02 (Security, Compliance & Resilience Awareness Training)

FRHC personnel in roles with elevated security responsibility—including IT staff, system administrators, developers, and compliance personnel—complete role-based training as required by STH’s program. Role-based training addresses the specific threats and responsibilities associated with elevated access or sensitive functions.

  • Parent Policy Mapping: STH Security Awareness & Training Policy, Section 3.3
  • SCF Mapping: SAT-03 (Role-Based Security, Compliance & Resilience Training)

Training completion records for FRHC personnel are maintained in STH’s centralized training management system. FRHC management monitors completion status and escalates non-compliance to ensure all personnel satisfy training requirements on schedule. Records are made available to support SOC 2 Type II audits and HIPAA Security Rule compliance assessments.

  • Parent Policy Mapping: STH Security Awareness & Training Policy, Section 3.4
  • SCF Mapping: SAT-04 (Security, Compliance & Resilience Training Records)

FRHC relies on STH’s centralized platform for training delivery and completion tracking. FRHC management reviews training completion reports at least annually to confirm that all required personnel have completed mandatory training. Non-compliance is escalated promptly, and remediation (completion of overdue training) is tracked to resolution.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Security Awareness & Training Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(5) – Security Awareness & Training
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC5.2, CC5.3)

Framework Alignment:

  • SAT-01 – Security, Compliance & Resilience-Minded Workforce
  • SAT-02 – Security, Compliance & Resilience Awareness Training
  • SAT-03 – Role-Based Security, Compliance & Resilience Training
  • SAT-04 – Security, Compliance & Resilience Training Records

RevDescriptionDateApproved
-Policy createdJuly 2021M Machin
1.0Formatting UpdateSeptember 2022WSI
2.0Updated and approved for 2024July 2024WSI
3.0Updated and approved for 2025July 2025M Machin
4.0Converted to StandardApril 2026M Machin

Internal Use Only