Threat Management Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Threat Management Policy
Framework Reference: Secure Controls Framework – Threat Management (THR)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) participates in and acts upon the enterprise-wide Threat Management program maintained centrally by Summit Technology Holdings, LLC (STH). Threat intelligence collection, analysis, and distribution are centralized at STH; FRHC’s role is to consume, apply, and respond to intelligence and guidance provided by STH. This standard documents FRHC’s obligations and compliance approach.
2. Applicability
Section titled “2. Applicability”This standard applies to all FRHC IT and security staff involved in monitoring, detection, incident response, or vulnerability management activities. It applies to all FRHC systems, networks, and environments where STH-provided threat intelligence and mitigations are relevant.
3. Standard
Section titled “3. Standard”3.1 Threat Intelligence Program
Section titled “3.1 Threat Intelligence Program”STH centrally maintains the enterprise Threat Intelligence Program. This program is responsible for collecting, validating, correlating, and distributing threat intelligence from trusted government, industry, vendor, and open-source sources.
FRHC consumes threat intelligence disseminated by STH and integrates it into local security operations, including monitoring, alerting, incident response, vulnerability management, and risk management activities.
- Parent Policy Mapping: STH Threat Management Policy, Section 3.1
- SCF Mapping: THR-01 (Threat Intelligence Program)
3.2 Threat Intelligence Feeds
Section titled “3.2 Threat Intelligence Feeds”STH centrally subscribes to and manages enterprise threat intelligence feeds, including intelligence from Microsoft, CrowdStrike, and the Cybersecurity and Infrastructure Security Agency (CISA).
Relevant alerts, advisories, indicators of compromise (IOCs), and recommended defensive actions are distributed by STH to FRHC. FRHC is responsible for implementing applicable mitigations, detection rules, and compensating controls within its AWS, SaaS, and application environments.
- Parent Policy Mapping: STH Threat Management Policy, Section 3.2
- SCF Mapping: THR-03 (Threat Intelligence Feeds)
3.3 Threat Catalog
Section titled “3.3 Threat Catalog”STH maintains access to actively curated third-party threat catalogs that document relevant threat actors, attacker tactics, techniques, and procedures (TTPs), and associated indicators.
FRHC leverages threat catalog information provided by STH—including data surfaced through the Microsoft Defender portal—to support incident response, threat hunting, risk assessments, and validation of control coverage within FRHC environments.
- Parent Policy Mapping: STH Threat Management Policy, Section 3.3
- SCF Mapping: THR-09 (Threat Catalog)
3.4 Threat Analysis
Section titled “3.4 Threat Analysis”STH performs enterprise-level threat analysis to identify trends, assess evolving threats, and inform defensive strategies. Analysis outputs are communicated to subsidiaries, including FRHC.
FRHC applies threat analysis results by correlating threat intelligence with asset inventory, exposure profiles, vulnerability data, and monitoring telemetry. Outcomes inform updates to detection logic, security controls, incident response procedures, and risk remediation priorities.
- Parent Policy Mapping: STH Threat Management Policy, Section 3.4
- SCF Mapping: THR-10 (Threat Analysis)
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains records of mitigations implemented in response to STH-provided threat intelligence and advisories. FRHC IT Security reviews STH communications promptly and tracks implementation of recommended controls through FRHC’s security operations process. Evidence is retained to support SOC 2 Type II audits and HIPAA Security Rule compliance assessments.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Threat Management Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
- 45 CFR §164.308(a)(6) – Security Incident Procedures
- AICPA SOC 2 Trust Services Criteria:
- Security (CC7.2, CC7.4)
Framework Alignment:
- THR-01 – Threat Intelligence Program
- THR-03 – Threat Intelligence Feeds
- THR-09 – Threat Catalog
- THR-10 – Threat Analysis
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | July 2021 | M Machin |
| 1.0 | Formatting Update | September 2022 | WSI |
| 2.0 | Updated and approved for 2024 | July 2024 | WSI |
| 3.0 | Updated and approved for 2025 | July 2025 | M Machin |
| 4.0 | Converted to Standard | April 2026 | M Machin |
| 5.0 | updated and approved for 2026 | July 2026 | M Machin |
