oversight

Audit of Information Systems and General and Application Controls at BlueCross BlueShield of North Carolina

Published by the Office of Personnel Management, Office of Inspector General on 2015-06-18.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

               U.S. OFFICE OF PERSONNEL
                     MANAGEMENT
           OFFICE OF THE INSPECTOR GENERAL
                    OFFICE OF AUDITS




                Final Audit Report
           AUDIT OF INFORMATION SYSTEMS GENERAL
               AND APPLICATION CONTROLS AT
             BLUE CROSS BLUE SHIELD OF NORTH
                         CAROLINA
                                            Report Number 1A-10-33-14-062
                                                    June 18, 2015




                                                             -- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised
before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
                EXECUTIVE SUMMARY

                            Audit of Information Systems General and Application Controls at 

                                         Blue Cross Blue Shield of North Carolina

Report No 1A-10-33-14-062                                                                                        June 18, 2015


 Why Did We Conduct the Audit?               What Did We Find?
 The objectives of this audit were to        Our audit of the IT security controls of BCBSNC determined that:
 evaluate controls over the                  	 BCBSNC has established an adequate security management
 confidentiality, integrity, and                program.
 availability of Federal Employee            	 BCBSNC has implemented controls to prevent unauthorized physical
 Health Benefit Plan (FEHBP) data               access to its facilities, as well as logical controls to protect sensitive
 processed and maintained in Blue               information. However, we noted several areas of concern related to
 Cross Blue Shield of North Carolina’s          BCBSNC’s access controls:
 (BCBSNC) information technology                o	 There is no technical control to detect or prevent                     at
 (IT) environment.                                  BCBSNC facilities.
                                                o	 The current process of reviewing physical access does not
 What Did We Audit?                                 require managers to acknowledge the review.
 The scope of this audit centered on the     	 BCBSNC has implemented an incident response and network
 information systems used by BCBSNC             security program. However, we noted several areas of concern
 to process medical insurance claims for        related to BCBSNC’s network security controls:
 FEHBP members, with a primary focus            o	 A patch management policy is in place, but our test work

 on the claims adjudication applications.           identified several instances where patches are not being

                                                    implemented in a timely manner.

                                                o	 Our test work indicated that
                                                    contained unsupported or out-of-date software.
                                             	 BCBSNC has developed formal configuration management policies
                                                and baselines for its operating platforms. Furthermore, BCBSNC
                                                has a documented change control process for the documented
                                                baseline configurations.
                                             	 BCBSNC’s business continuity and disaster recovery plans contain
                                                the elements suggested by relevant guidance and publications.
                                                However, we noted two areas of concern related to BCBSNC’s
                                                contingency planning controls:
                                                o	 BCBSNC does not verify with individual business units that
                                                    appropriate business continuity plan testing has occurred.
                                                o	 BCBSNC’s disaster recovery plan specific to its federal line of
                                                    business does not include the necessary level of detail for testing.
                                             	 BCBSNC has implemented many controls in its claims adjudication
                                                process to ensure that FEHBP claims are processed accurately.



 _______________________
 Michael R. Esser
 Assistant Inspector General
 for Audits
                                                         i
                  ABBREVIATIONS

the Act   The Federal Employees Health Benefits Act
BCBSA     Blue Cross Blue Shield Association
BCBSNC    Blue Cross Blue Shield of North Carolina
BCP       Business Continuity Plan
CFR       Code of Federal Regulations
FEHBP     Federal Employee’s Health Benefit Plan
FEP       Federal Employee Program
FISCAM    Federal Information Systems Control Audit Manual
GAO       U.S. Government Accountability Office
HIO       Healthcare and Insurance Office
HIPAA     Health Insurance Portability and Accountability Act
IT        Information Technology
NIST      National Institute of Standards and Technology
NIST SP   National Institute of Standards and Technology’s Special Publication
OIG       Office of the Inspector General
OMB       U.S. Office of Management and Budget
OPM       U.S. Office of Personnel Management
Plan      Blue Cross Blue Shield of North Carolina




                                   ii
IV. MAJOR CONTRIBUTORS TO THIS REPORT
          TABLE OF CONTENTS

                                                                                                                             Page

          EXECUTIVE SUMMARY ......................................................................................... i


          ABBREVIATIONS ..................................................................................................... ii


  I.	     BACKGROUND ..........................................................................................................1


  II.	    OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2


  III.	   AUDIT FINDINGS AND RECOMMENDATIONS ................................................5

          1. Security Management ..............................................................................................5

          2. Access Controls .......................................................................................................5

          3. Network Security .....................................................................................................7

          4. Configuration Management ...................................................................................10

          5. Contingency Planning............................................................................................10

          6. Claims Adjudication ..............................................................................................13


  IV.	    MAJOR CONTRIBUTORS TO THIS REPORT ..................................................15


          APPENDIX: The Plan’s February 9, 2015 (amended May 18, 2015) response

          to the draft audit report, issued December 9, 2014.


          REPORT FRAUD, WASTE, AND MISMANAGEMENT

IV. MAJOR CONTRIBUTORS
            I. BACKGROUND
                       TO THIS REPORT

This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims by Blue Cross Blue Shield of
North Carolina (BCBSNC or Plan).

The audit was conducted pursuant to FEHBP contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code
of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office
of Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the
Inspector General Act of 1978, as amended.

The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.

This is our second audit of BCBSNC’s information systems. The prior audit report (Report No.
1A-10-33-05-027, dated July 3, 2006) contained 15 recommendations. As part of this audit we
followed up on the status of those prior recommendations and determined that they had all been
adequately resolved.

All BCBSNC personnel that worked with the auditors were helpful and open to ideas and
suggestions. They viewed the audit as an opportunity to examine practices and to make changes
or improvements as necessary. Their positive attitude and helpfulness throughout the audit was
greatly appreciated.




                                                1                           Report No. 1A-10-33-14-062
IV. OBJECTIVES,
II.  MAJOR CONTRIBUTORS
                SCOPE, ANDTO THIS REPORT
                          METHODOLOGY

 Objective
 The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
 availability of FEHBP data processed and maintained in BCBSNC’s information technology (IT)
 environment. We accomplished these objectives by reviewing the following areas:
    Security management;

    Access controls;

    Network Security;

    Configuration management;

    Segregation of duties;

    Contingency planning; and

    Application controls specific to BCBSNC’s claims processing systems.



 Scope
 This performance audit was conducted in accordance with generally accepted government
 auditing standards issued by the Comptroller General of the United States. Accordingly, we
 obtained an understanding of BCBSNC’s internal controls through interviews and observations,
 as well as inspection of various documents, including IT and other related organizational policies
 and procedures. This understanding of BCBSNC’s internal controls was used in planning the
 audit by determining the extent of compliance testing and other auditing procedures necessary to
 verify that the internal controls were properly designed, placed in operation, and effective.

 The scope of this audit centered on the information systems used by BCBSNC to process
 medical insurance claims for FEHBP members, with a primary focus on the claims adjudication
 process. BCBSNC participates in a nationwide fee-for-service plan sponsored by the BlueCross
 and BlueShield Association’s (BCBSA) Federal Employee Program (FEP). BCBSNC processes
 FEHBP claims through FEP Direct, the BCBSA’s nation-wide claims adjudication system. The
 business processes reviewed are primarily located in BCBSNC’s Chapel Hill and Durham, North
 Carolina facilities.

 The on-site portion of this audit was performed in August and September of 2014. We
 completed additional audit work before and after the on-site visit at our office in Washington,
 D.C. The findings, recommendations, and conclusions outlined in this report are based on the
 status of information system general and application controls in place at BCBSNC as of October
 2014.


                                                 2                           Report No. 1A-10-33-14-062
In conducting our audit, we relied to varying degrees on computer-generated data provided by
BCBSNC. Due to time constraints, we did not verify the reliability of the data used to complete
some of our audit steps but we determined that it was adequate to achieve our audit objectives.
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.

Methodology
In conducting this audit we:
   Gathered documentation and conducted interviews;

   Reviewed BCBSNC’s business structure and environment;
	
   Performed a risk assessment of BCBSNC’s information systems environment and 

    applications, and prepared an audit program based on the assessment and the U.S.
    Government Accountability Office’s (GAO) Federal Information System Controls Audit
    Manual (FISCAM); and
	 Conducted various compliance tests to determine the extent to which established controls and
   procedures are functioning as intended. As appropriate, we used judgmental sampling in
   completing our compliance testing.

Various laws, regulations, and industry standards were used as a guide to evaluating BCBSNC’s
control structure. These criteria include, but are not limited to, the following publications:
   Title 48 of the CFR;

   U.S. Office of Management and Budget (OMB) Circular A-130, Appendix III;

   OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of 

    Personally Identifiable Information;
	 Information Technology Governance Institute’s COBIT: Control Objectives for Information
   and Related Technology;
   GAO’s FISCAM;
   National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
    Introduction to Computer Security;
   NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
    Technology Systems;
   NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments;
   NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems;
   NIST SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy;
   NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems
    and Organizations;



                                               3	                         Report No. 1A-10-33-14-062
	 NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide; and
	 NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA
   Security Rule.


Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether BCBSNC’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
BCBSNC was not in complete compliance with all standards as described in the “Audit Findings
and Recommendations” section of this report.




                                                4	                          Report No. 1A-10-33-14-062
  IV. AUDIT
III.   MAJORFINDINGS
             CONTRIBUTORS  TO THIS REPORT
                     AND RECOMMENDATIONS

1. Security Management
   The security management component of this audit involved an
   examination of the policies and procedures that are the foundation of      BCBSNC maintains a
   BCBSNC’s overall IT security controls. We evaluated BCBSNC’s               series of thorough IT
   ability to develop security policies, manage risk, assign security-        security policies and
   related responsibility, and monitor the effectiveness of various           procedures.
   system-related controls.

   BCBSNC has implemented a series of formal policies and procedures that comprise its security
   management program. BCBSNC has also developed a thorough risk management methodology
   that allows the Plan to document, track, and mitigate or accept identified risks in a timely
   manner. We also reviewed BCBSNC’s human resources policies and procedures related to
   hiring, training, transferring, and terminating employees.

   Nothing came to our attention to indicate that BCBSNC does not have an adequate security
   management program.

2.	 Access Controls
    Access controls are the policies, procedures, and techniques used to prevent or detect
    unauthorized physical or logical access to sensitive resources.

   We examined the physical access controls of BCBSNC’s facilities and data centers located in
                          , North Carolina. We also examined the logical controls protecting
   sensitive data in BCBSNC’s network environment and applications.

   The access controls observed during this audit include, but are not limited to:

    Procedures for appropriately granting physical access to facilities and data centers;

    Procedures for appropriately granting, adjusting, and removing logical access;

    Strong environment controls within the data centers; and

    Controls to monitor and filter e-mail and Internet activity.


   However, the following sections document opportunities for improvement related to BCBSNC’s
   physical access controls.

   a) Access to BCBSNC Facilities
      BCBSNC’s facilities use electronic card readers to control physical access. The BCBSNC
      data center has both card readers and biometric scanners. However, we expect all FEHBP


                                                5	                              Report No. 1A-10-33-14-062
   contractors to also have some form of technical or physical control to detect or prevent
                                                                                     .

   Failure to implement adequate physical access controls increases the risk that unauthorized
   individuals can gain access to confidential data. NIST SP 800-53 Revision 4, “Security and
   Privacy Controls for Federal Information Systems and Organizations,” provides guidance for
   adequately controlling physical access to information systems containing sensitive data.

   Recommendation 1
   We recommend that BCBSNC conduct a review of its physical access controls and 

   implement some form of           prevention controls at its facility entrances.


   Plan Response to Recommendation 1:
   “In response to this recommendation, we have determined that the existing physical access
   controls are appropriate to minimize the likelihood of                 . Currently, the plan
   has the following controls in place to enforce the physical access of our buildings:
   electronic security technology, on-site security personnel, badge readers, CCTV cameras,
   restricted access to restricted areas, security and safety policies and procedures, door
   alarms etc.”

   OIG Reply:
   The physical access controls listed in the Plan’s response above are not in place in every
   BCBSNC building. With the inconsistent implementation of controls, there is a significant
   risk of a physical access breach to areas of the BCBSNC facilities that contain sensitive
   information. A badge reader alone does not prevent                  into the facility. At a
   minimum, a formal assessment should be done to consider the risks from unauthorized entry
   into BCBSNC facilities. We continue to recommend the implementation of technical
   controls to prevent                at all facility entrances.

b)	 Physical Access Recertification
    BCBSNC’s process for removing physical access to its facilities for terminated employees
    begins with the notification to building security of the expected termination date. On a
    monthly basis, lists of all employees with active access to secure areas are sent to the
    manager responsible for those areas for validation. The managers are told to respond if there
    is an issue with the physical access rights, but are not required to acknowledge the review if
    there are no issues.

   However, BCBSNC’s process for reviewing employees’ physical access after termination
   could be improved. Access should be routinely reviewed for all physical access levels, not




                                                6	                          Report No. 1A-10-33-14-062
       just for secure areas. Additionally, a written response from managers should be required to
       ensure that the full review is completed every month.

       NIST SP 800-53 Revision 4 states that an organization must review and analyze system audit
       records for indications of inappropriate or unusual activity. Failure to remove and audit
       physical access to terminated users increases the risk that a terminated employee could enter
       a facility and steal, modify, or delete sensitive and proprietary information. Lack of a
       required confirmation from managers increases the risk that employees maintain improper
       access to BCBSNC facilities.

       Recommendation 2
       We recommend that BCBSNC implement a process to routinely audit all active access cards
       to ensure that they are not assigned to terminated employees; this process should include
       written confirmation from managers.

       Plan Response to Recommendation 2:
       “In response to this recommendation, The Plan agrees to investigate and improve its
       current process and remediate, as appropriate, second quarter, June 30, 2015.”

       OIG Reply:
       As part of the audit resolution process, we recommend that BCBSNC provide OPM’s
       Healthcare and Insurance Office (HIO) evidence of the process change and of manager’s
       review.

3.	 Network Security
    Network security includes the policies and controls used to prevent or monitor unauthorized
    access, misuse, modification, or denial of a computer network and network-accessible resources.

   BCBSNC has implemented an incident response and network security program. However, we
   noted several opportunities for improvement related to BCBSNC’s network security controls.

   a)	 Vulnerabilities Identified in Automated Scans
       We worked with BCBSNC employees to independently perform automated vulnerability
       scans on a sample of                                   . The results are outlined in
       the sections below.                                          BCBSNC’s failure to
                                                                           promptly install all
       System Patching                                                     important updates
       BCBSNC has documented patch management policies and                 increases the risk that
       procedures. However, the results of the vulnerability scans         vulnerabilities will not
       conducted during this audit indicate that                           be remediated and
                   were missing at least one critical patch or service     sensitive information
                                                                           could be stolen.
                                                   7	                         Report No. 1A-10-33-14-062
pack greater than 90 days old. BCBSNC did not provide evidence indicating that it was
previously aware of these missing patches and had documented its acceptance of the
associated risk.

FISCAM states that “Software should be scanned and updated frequently to guard against
known vulnerabilities.” NIST SP 800-53 Revision 4 states that the organization must
identify, report, and correct information system flaws and install security-relevant software
and firmware updates promptly.

Failure to promptly install important updates increases the risk that vulnerabilities will not be
remediated and sensitive information could be stolen.

Recommendation 3
We recommend that BCBSNC improve its procedures and controls to ensure that                  are
installed with appropriate patches, service packs, and hotfixes on a timely basis.

Recommendation 4
We recommend that BCBSNC improve its procedures and controls to ensure that
          are installed with appropriate patches, service packs, and hotfixes on a timely
basis.

Plan Response to Recommendations 3 & 4:
“BCBSNC Security Management meets with the Security Operations team weekly and
monthly providing monitoring and oversight to ensure that the existing policies and
procedures are being followed. Vulnerabilities are assessed for risk, assigned remediation
timelines, and remediated according to the guidelines in the documented procedures.
Application supportability and availability are factors that determine and possibly dictate
timelines for deployment of patches, service packs, and hot fixes. In instances where
legacy software is needed to support BCBSNC business applications or patching would
negatively impact a BCBSNC business application, BCBSNC may seek alternate methods
to mitigate the risk by leveraging third party security tools such as
            ,          ,                           and                                     .
The Plan will utilize continuous improvement for all items related to securing our
                                                  . In addition, the Plan will continue to
review and, if appropriate, update the established policies and procedures to ensure
are installed with appropriate patches, service packs, and hotfixes on a timely basis or
compensating controls are identified for significant risk items.”




                                              8                           Report No. 1A-10-33-14-062
OIG Reply:
As part of the audit resolution process, we recommend that BCBSNC provide OPM’s HIO
with evidence that it has implemented controls to ensure                            are
installed with appropriate patches, service packs and hotfixes on a timely basis. This
evidence should include documentation (e.g., several iterations of vulnerability scan reports)
indicating that                           have remained up-to-date with patches.

Noncurrent Software
The results of the vulnerability scans also indicated that
contained noncurrent software applications that were no longer supported by the vendors,
and have known security vulnerabilities. BCBSNC did not provide any evidence indicating
that it previously knew about the unsupported software and documented its acceptance of this
risk.

                                FISCAM states that “Procedures should ensure that only
                                current software releases are installed in information
               contained
                                systems. Noncurrent software may be vulnerable to
 noncurrent software
                                malicious code such as viruses and worms.”
 applications no longer
 supported by the vendors
                                Failure to promptly remove outdated software increases the
 and known to have
                                risk of a successful malicious attack on the information
 security vulnerabilities.
                                system.

Recommendation 5
We recommend that BCBSNC implement a methodology to ensure that only current and
supported versions of system software are installed     .

Recommendation 6
We recommend that BCBSNC implement a methodology to ensure that only current and
supported versions of system software are installed on

Plan Response to Recommendations 5 & 6:
“BCBSNC is aware that some unsupported software runs on our network and agree it
would be preferable for all software to be at current versions. There will be occasions
where the Plan’s business and Information Technology Group (ITG) departments partner
to make risk-aware decisions to not upgrade or replace software. Software that is to
become unsupported is inventoried and the impacts of upgrading, replacing, or accepting
risk are discussed with business owners. Decisions to not upgrade low risk software may be
based on business drivers such as ‘Reliant applications are to be retired’ or ‘the Plan will
pay for extended vendor support until internal resources are available for the upgrade’. In



                                             9                           Report No. 1A-10-33-14-062
       instances where legacy software is needed to support BCBSNC business applications or
       patching would negatively impact a BCBSNC business application, BCBSNC may seek
       alternate methods to mitigate the risk by leveraging third party security tools such as
                                      ,          ,                          and


       The Plan has a Technology Roadmap in place to address software and hardware currency.
       With this plan, unsupported software may be needed while ramping up the current
       software and hardware. For any unsupported software in place during the audit,
       compensating controls and alternate methods to mitigate any risks were in place and
       continue to be monitored. The Plan continues to look for methods to improve all items
       related to securing our                                              .”

       OIG Reply:
       BCBSNC’s response indicated that there are business needs that require the use of
       unsupported system software and that the Plan leverages third party security tools to mitigate
       risk. However, we believe that in spite of these compensating controls, this weakness poses a
       strong threat to the organization and increases the risk of a malicious attack exploiting these
       known vulnerabilities.

       We continue to recommend that BCBSNC implement a methodology to routinely remove
       unsupported software from                       , and that this include a process for
       documenting known instances of non-compliance.

4.	 Configuration Management
    We evaluated BCBSNC’s configuration management program as it relates to the operating
    platforms that support the processing of FEP claims, and determined that the following controls
    were in place:
     Documented corporate configuration policy;
     Documented baseline configurations for all operating systems; and
     Thorough change management procedures for system software
        and hardware.                                                      BCBSNC maintains
                                                                           baseline configurations
    Nothing came to our attention to indicate that BCBSNC has not          for all operating
    implemented adequate controls over system software management.         systems.


5.	 Contingency Planning
    We reviewed the following elements of BCBSNC’s contingency planning program to determine
    whether controls were in place to prevent or minimize interruptions to business operations when
    disastrous events occur:



                                                   10	                         Report No. 1A-10-33-14-062
   Disaster recovery plan;
   Disaster recovery plan tests;
   Business continuity plan; and
   Emergency response procedures.

We determined that the service continuity documentation contained the critical elements
suggested by NIST SP 800-34 Revision 1, “Contingency Planning Guide for Federal Information
Systems.” BCBSNC has identified and prioritized the systems and resources that are critical to
business operations, and has developed detailed procedures to recover those systems and
resources.

a)	 Business Continuity Plan Tests
    BCBSNC delegates the responsibility for conducting Business Continuity Plan (BCP) tests to
    the functional owners of each plan. Currently, there is no validation or review to ensure that
    testing of each BCP is conducted in accordance with BCBSNC regulation.

    NIST 800-34 Revision 1 states that “Test results and lessons learned should be . . . reviewed
    by test participants and other personnel as appropriate.” Failure to have managerial review
    of testing increases the risk that the organization will not be able to continue business
    operations when unexpected events occur.

    Recommendation 7
    We recommend BCBSNC document the business continuity tests results and implement a
    process for routine managerial review.

    Plan Response to Recommendation 7:
    “In response to this recommendation, the Plan agrees.

    FEP business operations will conduct at least one physical test through either a call tree or
    tabletop exercise per year. Evidence of this exercise will be maintained within the FEP
    business operations area and reported to its Senior Leadership Team (SLT) representative
    and the Enterprise Business Continuity (EBC) Team.

    Effective immediately, the Enterprise Business Continuity (EBC) Team will reinforce its
    current Business Continuity Plan policy requiring business continuity plan owners whose
    plan supports a “material” or “significant” rated business process to test their business
    continuity plans through facilitated exercises (e.g. tabletop exercise, call tree exercise,
    etc.), maintain evidence of the exercise, and provide documentation to the EBC Team. The
    EBC Team will update this policy by April 30, 2015 to indicate that such exercises be




                                                11	                         Report No. 1A-10-33-14-062
   conducted at least annually. The EBC Team will also monitor quarterly completion of the
   exercises and review supporting documentation for adequacy.”

   OIG Reply:
   As part of the audit resolution process, we recommend that BCBSNC provide OPM’s HIO
   evidence of the business continuity policy change and procedures for management review of
   testing exercises.

b)	 FEP Business Continuity Plan
    We determined that the business continuity policies and procedures specific to BCBSNC’s
    FEP line of business could be improved.

   The Plan currently conducts an informal test of the FEP call tree to ensure employees are
   notified of a disaster. This current process is not defined within policies and no official
   artifacts are developed in conjunction with the test and the results. NIST 800-34 Revision 1
   states “Test results and lessons learned should be documented. . .” Failure to generate testing
   artifacts increases the risk of inadequate testing and decreases the capacity for oversight of
   the process.

   Recommendation 8
   We recommend BCBSNC review and amend the FEP business continuity plan and
   procedures to include the necessary detail to ensure thorough business continuity tests for the
   FEP business operations are routinely conducted.

   Plan Response to Recommendation 8:
   “In response to this recommendation, the Plan agrees. At present, we update our Business
   Continuity Plan annually and our employee call tree semi annually. To strengthen the
   procedures we have in place, we will conduct at least one physical test through either a call
   tree or tabletop exercise per year. Evidence of this exercise will be maintained within the
   FEP business operations and reported to our Senior Leadership Team (SLT)
   representative and Enterprise Business Continuity staff. Where appropriate, the results of
   the exercises will be incorporated into the business continuity plan.”

   OIG Reply:
   As part of the audit resolution process, we recommend that BCBSNC provide OPM’s HIO
   evidence of the FEP business continuity plan testing.




                                               12	                          Report No. 1A-10-33-14-062
6.	 Claims Adjudication
    The following sections detail our review of the applications and business processes supporting
    BCBSNC’s claims adjudication process. BCBSNC processes all FEP claims through the
    BCBSA’s nationwide FEP Direct claims adjudication system.

   a)	 Application Configuration Management
       We evaluated the policies and procedures governing application development and change
       control of BCBSNC’s claims processing systems.

       BCBSNC has implemented policies and procedures related to application configuration
       management, and has also adopted a system development life cycle methodology that IT
       personnel follow during routine software modifications. We observed the following controls
       related to testing and approvals of software modifications:
        BCBSNC has adopted practices that allow modifications to be tracked throughout the
           change process;
        Code, unit, system, and quality testing are all conducted in accordance with industry
           standards; and
       	 BCBSNC uses a business unit independent from the software developers to move the
           code between development and production environments to ensure adequate segregation
           of duties.

       Nothing came to our attention to indicate that BCBSNC has not implemented adequate
       controls related to the application configuration management process.

   b)	 Claims Processing System
       We evaluated the input, processing, and output controls associated with BCBSNC’s claims
       processing system. We have determined the following controls are in place over BCBSNC’s
       claims adjudication system:
        Routine reviews are conducted on BCBSNC’s front-end scanning process for incoming
           paper claims;

        Claims are monitored as they are processed through the system; and

        Claims output files are fully reconciled.


       Nothing came to our attention to indicate that BCBSNC has not implemented adequate
       controls over the claims processing system.

   c)	 Debarment
       BCBSNC has adequate procedures for updating its claims system with debarred provider
       information. BCBSNC receives the OPM OIG debarment list every month and makes the
       appropriate updates to the FEP Direct claims processing system. Any claim submitted for a


                                                   13	                         Report No. 1A-10-33-14-062
debarred provider is flagged by BCBSNC to adjudicate through the OPM OIG debarment
process to include initial notification, a 15 day grace period, and then denial.

Nothing came to our attention to indicate that BCBSNC has not implemented adequate
controls over the debarment process.




                                         14                        Report No. 1A-10-33-14-062
IV. MAJOR CONTRIBUTORS TO THIS REPORT

INFORMATION SYSTEMS AUDIT GROUP


            , Lead IT Auditor in Charge

           , Lead IT Auditor

         , IT Auditor


             , Group Chief




                                    15    Report No. 1A-10-33-14-062
                                  APPENDIX
February 9, 2015 (Revised: May 18, 2015)

                , Group Chief
Claims & IT Audits Group
                                                                              Federal Employee Program
U.S. Office of Personnel Management                                           1310 G Street, N.W.
1900 E Street, Room 6400                                                      Washington, D.C. 20005
                                                                              202.626.4800
Washington, D.C. 20415-1100                                                   www.BCBS.com


Reference:               OPM DRAFT AUDIT REPORT
             Blue Cross Blue Shield North Carolina IT Audit
             Plan Code 310
             Report Number 1A-10-33-14-062
             (Dated December 9, 2014 and received December 9, 2014)

The following represents the Plan’s response as it relates to the recommendations
included in the draft report.

1. Security Management - No Recommendations


2. Access Controls


a. Access to BCBSNC Facilities:


Recommendation 1

We recommend that BCBSNC conduct a review of its physical access controls and
implement some form of         prevention controls at its facilities entrances.

Plan Response

In response to this recommendation, we have determined that the existing physical
access controls are appropriate to minimize the likelihood of               . Currently,
the plan has the following controls in place to enforce the physical access of our
buildings: electronic security technology, on-site security personnel, badge readers,
CCTV cameras, restricted access to restricted areas, security and safety policies and
procedures, door alarms etc.




                                                                      Report No. 1A-10-33-14-062
b. Physical Access Recertification:


Recommendation 2

We recommend that BCBSNC implement a process for routinely auditing all active
access cards to ensure that they are not assigned to terminated employees; this
process should include written confirmation from managers.

Plan Response

In response to this recommendation, The Plan agrees to investigate and improve its
current process and remediate, as appropriate, second quarter, June 30, 2015.

   3. Network Security


a. Vulnerabilities Noted in Automated Scans:


System Patching

Recommendation 3

We recommend that BCBSNC implement procedures and controls to ensure that
       are installed with appropriate patches, service packs, and hotfixes on a timely
basis.

Plan Response

BCBSNC Security Management meets with the Security Operations team weekly
and monthly providing monitoring and oversight to ensure that the existing policies
and procedures are being followed. Vulnerabilities are assessed for risk, assigned
remediation timelines, and remediated according to the guidelines in the
documented procedures. Application supportability and availability are factors that
determine and possibly dictate timelines for deployment of patches, service packs,
and hot fixes. In instances where legacy software is needed to support BCBSNC
business applications or patching would negatively impact a BCBSNC business
application, BCBSNC may seek alternate methods to mitigate the risk by leveraging
third party security tools such as                            ,          ,
                  and                                   . The Plan will utilize
continuous improvement for all items related to securing our


                                                                    Report No. 1A-10-33-14-062
                         . In addition, the Plan will continue to review and, if
appropriate, update the established policies and procedures to ensure            are
installed with appropriate patches, service packs, and hotfixes on a timely basis or
compensating controls are identified for significant risk items.

Recommendation 4

We recommend that BCBSNC implement procedures and controls to ensure that
              are installed with appropriate patches, service packs, and hotfixes on a
timely basis.

Plan Response

BCBSNC Security Management meets with the Security Operations team weekly
and monthly providing monitoring and oversight to ensure that the existing policies
and procedures are being followed. Vulnerabilities are assessed for risk, assigned
remediation timelines, and remediated according to the guidelines in the
documented procedures. Application supportability and availability are factors that
determine and possibly dictate timelines for deployment of patches, service packs,
and hot fixes. In instances where legacy software is needed to support BCBSNC
business applications or patching would negatively impact a BCBSNC business
application, BCBSNC may seek alternate methods to mitigate the risk by leveraging
third party security tools such as                                  ,         ,
                  and                                        . The Plan will utilize
continuous improvement for all items related to securing our
                          . In addition, the Plan will continue to review and, if
appropriate, update the established policies and procedures to ensure                are
installed with appropriate patches, service packs, and hotfixes on a timely basis or
compensating controls are identified for significant risk items.

b. Noncurrent Software:


Recommendation 5

We recommend that BCBSNC implement a methodology to ensure that only current
and supported versions of system software are installed on                .

Plan Response

BCBSNC is aware that some unsupported software runs on our network and agree
it would be preferable for all software to be at current versions. There will be


                                                                        Report No. 1A-10-33-14-062
occasions where the Plan’s business and Information Technology Group (ITG)
departments partner to make risk-aware decisions to not upgrade or replace
software. Software that is to become unsupported is inventoried and the impacts of
upgrading, replacing, or accepting risk are discussed with business owners.
Decisions to not upgrade low risk software may be based on business drivers such
as ‘Reliant applications are to be retired’ or ‘the Plan will pay for extended vendor
support until internal resources are available for the upgrade’. In instances where
legacy software is needed to support BCBSNC business applications or patching
would negatively impact a BCBSNC business application, BCBSNC may seek
alternate methods to mitigate the risk by leveraging third party security tools such
as Network Intrusion Prevention, Firewalls, Network Access Controls and advanced
malware detection tools.

The Plan has a Technology Roadmap in place to address software and hardware
currency. With this plan, unsupported software may be needed while ramping up
the current software and hardware. For any unsupported software in place during
the audit, compensating controls and alternate methods to mitigate any risks were
in place and continue to be monitored. The Plan continues to look for methods to
improve all items related to securing our


Recommendation 6

We recommend that BCBSNC implement a methodology to ensure that only current
and supported versions of system software are installed on the user

Plan Response

BCBSNC is aware that some unsupported software runs on the
and agree it would be preferable for all software to be at current versions. There will
be occasions where the Plan’s business and Information Technology Group (ITG)
departments partner to make risk-aware decisions to not upgrade or replace
software. Software that is to become unsupported is inventoried and the impacts of
upgrading, replacing, or accepting risk are discussed with business owners.
Decisions to not upgrade low risk software may be based on business drivers such
as ‘Reliant applications are to be retired’ or ‘the Plan will pay for extended vendor
support until internal resources are available for the upgrade’. In instances where
legacy software is needed to support BCBSNC business applications or patching
would negatively impact a BCBSNC business application, BCBSNC may seek
alternate methods to mitigate the risk by leveraging third party security tools such



                                                                       Report No. 1A-10-33-14-062
as Network Intrusion Prevention, Firewalls, Network Access Controls and advanced
malware detection tools.

The Plan has a Technology Roadmap in place to address software and hardware
currency. With this plan, unsupported software may be needed while ramping up
the current software and hardware. For any unsupported software in place during
the audit, compensating controls and alternate methods to mitigate any risks were
in place and continue to be monitored. The Plan continues to look for methods to
improve all items related to securing our


4. Configuration Management – No Recommendations

   5. Contingency Planning


   a. Business Continuity Plan Tests:


Recommendation 7

We recommend BCBSNC document the business continuity tests results and
implement a process for managerial review.

Plan Response

In response to this recommendation, the Plan agrees.

FEP business operations will conduct at least one physical test through either a call tree
or tabletop exercise per year. Evidence of this exercise will be maintained within the
FEP business operations area and reported to its Senior Leadership Team (SLT)
representative and the Enterprise Business Continuity (EBC) Team.

Effective immediately, the Enterprise Business Continuity (EBC) Team will reinforce its
current Business Continuity Plan policy requiring business continuity plan owners
whose plan supports a “material” or “significant” rated business process to test their
business continuity plans through facilitated exercises (e.g. tabletop exercise, call tree
exercise, etc.), maintain evidence of the exercise, and provide documentation to the
EBC Team. The EBC Team will update this policy by April 30, 2015 to indicate that
such exercises be conducted at least annually. The EBC Team will also monitor




                                                                       Report No. 1A-10-33-14-062
quarterly completion of the exercises and review supporting documentation for
adequacy.

    b.	 FEP Business Continuity Plan:


Recommendation 8

We recommend BCBSNC review and amend the FEP business continuity plan and
procedures to include the necessary detail to ensure thorough business continuity tests
for the FEP business operations are routinely conducted.

Plan Response

In response to this recommendation, the Plan agrees. At present, we update our
Business Continuity Plan annually and our employee call tree semi-annually. To
strengthen the procedures we have in place, we will conduct at least one physical test
through either a call tree or tabletop exercise per year. Evidence of this exercise will be
maintained within the FEP business operations and reported to our Senior Leadership
Team (SLT) representative and Enterprise Business Continuity staff. Where
appropriate, the results of the exercises will be incorporated into the business continuity
plan.

6.	 Claims Adjudication – No Recommendations


    7.	 Health Insurance         Portability    and     Accountability      Act    –    No
        Recommendations


Thank you for the opportunity to provide a response to the Draft Report. If you have
any questions in the interim, please contact                 at
                 @bcbsa.com or at                 .

Sincerely,

            , CISA
Managing Director, FEP Program Assurance

cc: 	                    , BCBSNC
                 , OPM
                    , FEP


                                                                       Report No. 1A-10-33-14-062
                                       Report Fraud, Waste, and 

                                           Mismanagement

                                                  Fraud, waste, and mismanagement in
                                               Government concerns everyone: Office of
                                                   the Inspector General staff, agency
                                                employees, and the general public. We
                                              actively solicit allegations of any inefficient
                                                    and wasteful practices, fraud, and
                                               mismanagement related to OPM programs
                                              and operations. You can report allegations
                                                          to us in several ways:


                     By Internet:                  http://www.opm.gov/our-inspector-general/hotline-to-
                                                   report-fraud-waste-or-abuse


                         By Phone:	                Toll Free Number:                              (877) 499-7295
                                                   Washington Metro Area:                         (202) 606-2423


                           By Mail:                Office of the Inspector General
                                                   U.S. Office of Personnel Management
                                                   1900 E Street, NW
                                                   Room 6400
                                                   Washington, DC 20415-1100




                                                             -- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised
before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.

                                                                                                                Report No. 1A-10-33-14-062