Skip to content

Threat Management Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Threat Management Policy Framework Reference: Secure Controls Framework – Threat Management (THR)


This standard defines how FrontRunnerHC (FRHC) participates in and acts upon the enterprise-wide Threat Management program maintained centrally by Summit Technology Holdings, LLC (STH). Threat intelligence collection, analysis, and distribution are centralized at STH; FRHC’s role is to consume, apply, and respond to intelligence and guidance provided by STH. This standard documents FRHC’s obligations and compliance approach.


This standard applies to all FRHC IT and security staff involved in monitoring, detection, incident response, or vulnerability management activities. It applies to all FRHC systems, networks, and environments where STH-provided threat intelligence and mitigations are relevant.


STH centrally maintains the enterprise Threat Intelligence Program. This program is responsible for collecting, validating, correlating, and distributing threat intelligence from trusted government, industry, vendor, and open-source sources.

FRHC consumes threat intelligence disseminated by STH and integrates it into local security operations, including monitoring, alerting, incident response, vulnerability management, and risk management activities.

  • Parent Policy Mapping: STH Threat Management Policy, Section 3.1
  • SCF Mapping: THR-01 (Threat Intelligence Program)

STH centrally subscribes to and manages enterprise threat intelligence feeds, including intelligence from Microsoft, CrowdStrike, and the Cybersecurity and Infrastructure Security Agency (CISA).

Relevant alerts, advisories, indicators of compromise (IOCs), and recommended defensive actions are distributed by STH to FRHC. FRHC is responsible for implementing applicable mitigations, detection rules, and compensating controls within its AWS, SaaS, and application environments.

  • Parent Policy Mapping: STH Threat Management Policy, Section 3.2
  • SCF Mapping: THR-03 (Threat Intelligence Feeds)

STH maintains access to actively curated third-party threat catalogs that document relevant threat actors, attacker tactics, techniques, and procedures (TTPs), and associated indicators.

FRHC leverages threat catalog information provided by STH—including data surfaced through the Microsoft Defender portal—to support incident response, threat hunting, risk assessments, and validation of control coverage within FRHC environments.

  • Parent Policy Mapping: STH Threat Management Policy, Section 3.3
  • SCF Mapping: THR-09 (Threat Catalog)

STH performs enterprise-level threat analysis to identify trends, assess evolving threats, and inform defensive strategies. Analysis outputs are communicated to subsidiaries, including FRHC.

FRHC applies threat analysis results by correlating threat intelligence with asset inventory, exposure profiles, vulnerability data, and monitoring telemetry. Outcomes inform updates to detection logic, security controls, incident response procedures, and risk remediation priorities.

  • Parent Policy Mapping: STH Threat Management Policy, Section 3.4
  • SCF Mapping: THR-10 (Threat Analysis)

FRHC maintains records of mitigations implemented in response to STH-provided threat intelligence and advisories. FRHC IT Security reviews STH communications promptly and tracks implementation of recommended controls through FRHC’s security operations process. Evidence is retained to support SOC 2 Type II audits and HIPAA Security Rule compliance assessments.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Threat Management Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
    • 45 CFR §164.308(a)(6) – Security Incident Procedures
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC7.2, CC7.4)

Framework Alignment:

  • THR-01 – Threat Intelligence Program
  • THR-03 – Threat Intelligence Feeds
  • THR-09 – Threat Catalog
  • THR-10 – Threat Analysis

RevDescriptionDateApproved
-Policy createdJuly 2021M Machin
1.0Formatting UpdateSeptember 2022WSI
2.0Updated and approved for 2024July 2024WSI
3.0Updated and approved for 2025July 2025M Machin
4.0Converted to StandardApril 2026M Machin
5.0updated and approved for 2026July 2026M Machin

Internal Use Only