Office of Personnel Management, Office of Inspector General | U.S. Office of Personnel Management | Audit of Information Systems and General and Application Controls at BlueCross BlueShield of North Carolina

Audit of Information Systems and General and Application Controls at BlueCross BlueShield of North Carolina

Published by the Office of Personnel Management, Office of Inspector General on 2015-06-18.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

U.S. OFFICE OF PERSONNEL
MANAGEMENT
OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS

Final Audit Report
AUDIT OF INFORMATION SYSTEMS GENERAL
AND APPLICATION CONTROLS AT
BLUE CROSS BLUE SHIELD OF NORTH
CAROLINA
Report Number 1A-10-33-14-062
June 18, 2015

-- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised
before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
EXECUTIVE SUMMARY

Audit of Information Systems General and Application Controls at

Blue Cross Blue Shield of North Carolina

Report No 1A-10-33-14-062 June 18, 2015

Why Did We Conduct the Audit? What Did We Find?
The objectives of this audit were to Our audit of the IT security controls of BCBSNC determined that:
evaluate controls over the  BCBSNC has established an adequate security management
confidentiality, integrity, and program.
availability of Federal Employee  BCBSNC has implemented controls to prevent unauthorized physical
Health Benefit Plan (FEHBP) data access to its facilities, as well as logical controls to protect sensitive
processed and maintained in Blue information. However, we noted several areas of concern related to
Cross Blue Shield of North Carolina’s BCBSNC’s access controls:
(BCBSNC) information technology o There is no technical control to detect or prevent at
(IT) environment. BCBSNC facilities.
o The current process of reviewing physical access does not
What Did We Audit? require managers to acknowledge the review.
The scope of this audit centered on the  BCBSNC has implemented an incident response and network
information systems used by BCBSNC security program. However, we noted several areas of concern
to process medical insurance claims for related to BCBSNC’s network security controls:
FEHBP members, with a primary focus o A patch management policy is in place, but our test work

on the claims adjudication applications. identified several instances where patches are not being

implemented in a timely manner.

o Our test work indicated that
contained unsupported or out-of-date software.
 BCBSNC has developed formal configuration management policies
and baselines for its operating platforms. Furthermore, BCBSNC
has a documented change control process for the documented
baseline configurations.
 BCBSNC’s business continuity and disaster recovery plans contain
the elements suggested by relevant guidance and publications.
However, we noted two areas of concern related to BCBSNC’s
contingency planning controls:
o BCBSNC does not verify with individual business units that
appropriate business continuity plan testing has occurred.
o BCBSNC’s disaster recovery plan specific to its federal line of
business does not include the necessary level of detail for testing.
 BCBSNC has implemented many controls in its claims adjudication
process to ensure that FEHBP claims are processed accurately.

_______________________
Michael R. Esser
Assistant Inspector General
for Audits
i
ABBREVIATIONS

the Act The Federal Employees Health Benefits Act
BCBSA Blue Cross Blue Shield Association
BCBSNC Blue Cross Blue Shield of North Carolina
BCP Business Continuity Plan
CFR Code of Federal Regulations
FEHBP Federal Employee’s Health Benefit Plan
FEP Federal Employee Program
FISCAM Federal Information Systems Control Audit Manual
GAO U.S. Government Accountability Office
HIO Healthcare and Insurance Office
HIPAA Health Insurance Portability and Accountability Act
IT Information Technology
NIST National Institute of Standards and Technology
NIST SP National Institute of Standards and Technology’s Special Publication
OIG Office of the Inspector General
OMB U.S. Office of Management and Budget
OPM U.S. Office of Personnel Management
Plan Blue Cross Blue Shield of North Carolina

ii
IV. MAJOR CONTRIBUTORS TO THIS REPORT
TABLE OF CONTENTS

Page

EXECUTIVE SUMMARY ......................................................................................... i

ABBREVIATIONS ..................................................................................................... ii

I. BACKGROUND ..........................................................................................................1

II. OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2

III. AUDIT FINDINGS AND RECOMMENDATIONS ................................................5

1. Security Management ..............................................................................................5

2. Access Controls .......................................................................................................5

3. Network Security .....................................................................................................7

4. Configuration Management ...................................................................................10

5. Contingency Planning............................................................................................10

6. Claims Adjudication ..............................................................................................13

IV. MAJOR CONTRIBUTORS TO THIS REPORT ..................................................15

APPENDIX: The Plan’s February 9, 2015 (amended May 18, 2015) response

to the draft audit report, issued December 9, 2014.

REPORT FRAUD, WASTE, AND MISMANAGEMENT

IV. MAJOR CONTRIBUTORS
I. BACKGROUND
TO THIS REPORT

This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims by Blue Cross Blue Shield of
North Carolina (BCBSNC or Plan).

The audit was conducted pursuant to FEHBP contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code
of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office
of Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the
Inspector General Act of 1978, as amended.

The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.

This is our second audit of BCBSNC’s information systems. The prior audit report (Report No.
1A-10-33-05-027, dated July 3, 2006) contained 15 recommendations. As part of this audit we
followed up on the status of those prior recommendations and determined that they had all been
adequately resolved.

All BCBSNC personnel that worked with the auditors were helpful and open to ideas and
suggestions. They viewed the audit as an opportunity to examine practices and to make changes
or improvements as necessary. Their positive attitude and helpfulness throughout the audit was
greatly appreciated.

1 Report No. 1A-10-33-14-062
IV. OBJECTIVES,
II. MAJOR CONTRIBUTORS
SCOPE, ANDTO THIS REPORT
METHODOLOGY

Objective
The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
availability of FEHBP data processed and maintained in BCBSNC’s information technology (IT)
environment. We accomplished these objectives by reviewing the following areas:
 Security management;

 Access controls;

 Network Security;

 Configuration management;

 Segregation of duties;

 Contingency planning; and

 Application controls specific to BCBSNC’s claims processing systems.

Scope
This performance audit was conducted in accordance with generally accepted government
auditing standards issued by the Comptroller General of the United States. Accordingly, we
obtained an understanding of BCBSNC’s internal controls through interviews and observations,
as well as inspection of various documents, including IT and other related organizational policies
and procedures. This understanding of BCBSNC’s internal controls was used in planning the
audit by determining the extent of compliance testing and other auditing procedures necessary to
verify that the internal controls were properly designed, placed in operation, and effective.

The scope of this audit centered on the information systems used by BCBSNC to process
medical insurance claims for FEHBP members, with a primary focus on the claims adjudication
process. BCBSNC participates in a nationwide fee-for-service plan sponsored by the BlueCross
and BlueShield Association’s (BCBSA) Federal Employee Program (FEP). BCBSNC processes
FEHBP claims through FEP Direct, the BCBSA’s nation-wide claims adjudication system. The
business processes reviewed are primarily located in BCBSNC’s Chapel Hill and Durham, North
Carolina facilities.

The on-site portion of this audit was performed in August and September of 2014. We
completed additional audit work before and after the on-site visit at our office in Washington,
D.C. The findings, recommendations, and conclusions outlined in this report are based on the
status of information system general and application controls in place at BCBSNC as of October
2014.

2 Report No. 1A-10-33-14-062
In conducting our audit, we relied to varying degrees on computer-generated data provided by
BCBSNC. Due to time constraints, we did not verify the reliability of the data used to complete
some of our audit steps but we determined that it was adequate to achieve our audit objectives.
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.

Methodology
In conducting this audit we:
 Gathered documentation and conducted interviews;

 Reviewed BCBSNC’s business structure and environment;

 Performed a risk assessment of BCBSNC’s information systems environment and

applications, and prepared an audit program based on the assessment and the U.S.
Government Accountability Office’s (GAO) Federal Information System Controls Audit
Manual (FISCAM); and
 Conducted various compliance tests to determine the extent to which established controls and
procedures are functioning as intended. As appropriate, we used judgmental sampling in
completing our compliance testing.

Various laws, regulations, and industry standards were used as a guide to evaluating BCBSNC’s
control structure. These criteria include, but are not limited to, the following publications:
 Title 48 of the CFR;

 U.S. Office of Management and Budget (OMB) Circular A-130, Appendix III;

 OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of

Personally Identifiable Information;
 Information Technology Governance Institute’s COBIT: Control Objectives for Information
and Related Technology;
 GAO’s FISCAM;
 National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
Introduction to Computer Security;
 NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
Technology Systems;
 NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments;
 NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems;
 NIST SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy;
 NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems
and Organizations;

3 Report No. 1A-10-33-14-062
 NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide; and
 NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA
Security Rule.

Compliance with Laws and Regulations
In conducting the audit, we performed tests to determine whether BCBSNC’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
BCBSNC was not in complete compliance with all standards as described in the “Audit Findings
and Recommendations” section of this report.

4 Report No. 1A-10-33-14-062
IV. AUDIT
III. MAJORFINDINGS
CONTRIBUTORS TO THIS REPORT
AND RECOMMENDATIONS

1. Security Management
The security management component of this audit involved an
examination of the policies and procedures that are the foundation of BCBSNC maintains a
BCBSNC’s overall IT security controls. We evaluated BCBSNC’s series of thorough IT
ability to develop security policies, manage risk, assign security- security policies and
related responsibility, and monitor the effectiveness of various procedures.
system-related controls.

BCBSNC has implemented a series of formal policies and procedures that comprise its security
management program. BCBSNC has also developed a thorough risk management methodology
that allows the Plan to document, track, and mitigate or accept identified risks in a timely
manner. We also reviewed BCBSNC’s human resources policies and procedures related to
hiring, training, transferring, and terminating employees.

Nothing came to our attention to indicate that BCBSNC does not have an adequate security
management program.

2. Access Controls
Access controls are the policies, procedures, and techniques used to prevent or detect
unauthorized physical or logical access to sensitive resources.

We examined the physical access controls of BCBSNC’s facilities and data centers located in
, North Carolina. We also examined the logical controls protecting
sensitive data in BCBSNC’s network environment and applications.

The access controls observed during this audit include, but are not limited to:

 Procedures for appropriately granting physical access to facilities and data centers;

 Procedures for appropriately granting, adjusting, and removing logical access;

 Strong environment controls within the data centers; and

 Controls to monitor and filter e-mail and Internet activity.

However, the following sections document opportunities for improvement related to BCBSNC’s
physical access controls.

a) Access to BCBSNC Facilities
BCBSNC’s facilities use electronic card readers to control physical access. The BCBSNC
data center has both card readers and biometric scanners. However, we expect all FEHBP

5 Report No. 1A-10-33-14-062
contractors to also have some form of technical or physical control to detect or prevent
.

Failure to implement adequate physical access controls increases the risk that unauthorized
individuals can gain access to confidential data. NIST SP 800-53 Revision 4, “Security and
Privacy Controls for Federal Information Systems and Organizations,” provides guidance for
adequately controlling physical access to information systems containing sensitive data.

Recommendation 1
We recommend that BCBSNC conduct a review of its physical access controls and

implement some form of prevention controls at its facility entrances.

Plan Response to Recommendation 1:
“In response to this recommendation, we have determined that the existing physical access
controls are appropriate to minimize the likelihood of . Currently, the plan
has the following controls in place to enforce the physical access of our buildings:
electronic security technology, on-site security personnel, badge readers, CCTV cameras,
restricted access to restricted areas, security and safety policies and procedures, door
alarms etc.”

OIG Reply:
The physical access controls listed in the Plan’s response above are not in place in every
BCBSNC building. With the inconsistent implementation of controls, there is a significant
risk of a physical access breach to areas of the BCBSNC facilities that contain sensitive
information. A badge reader alone does not prevent into the facility. At a
minimum, a formal assessment should be done to consider the risks from unauthorized entry
into BCBSNC facilities. We continue to recommend the implementation of technical
controls to prevent at all facility entrances.

b) Physical Access Recertification
BCBSNC’s process for removing physical access to its facilities for terminated employees
begins with the notification to building security of the expected termination date. On a
monthly basis, lists of all employees with active access to secure areas are sent to the
manager responsible for those areas for validation. The managers are told to respond if there
is an issue with the physical access rights, but are not required to acknowledge the review if
there are no issues.

However, BCBSNC’s process for reviewing employees’ physical access after termination
could be improved. Access should be routinely reviewed for all physical access levels, not

6 Report No. 1A-10-33-14-062
just for secure areas. Additionally, a written response from managers should be required to
ensure that the full review is completed every month.

NIST SP 800-53 Revision 4 states that an organization must review and analyze system audit
records for indications of inappropriate or unusual activity. Failure to remove and audit
physical access to terminated users increases the risk that a terminated employee could enter
a facility and steal, modify, or delete sensitive and proprietary information. Lack of a
required confirmation from managers increases the risk that employees maintain improper
access to BCBSNC facilities.

Recommendation 2
We recommend that BCBSNC implement a process to routinely audit all active access cards
to ensure that they are not assigned to terminated employees; this process should include
written confirmation from managers.

Plan Response to Recommendation 2:
“In response to this recommendation, The Plan agrees to investigate and improve its
current process and remediate, as appropriate, second quarter, June 30, 2015.”

OIG Reply:
As part of the audit resolution process, we recommend that BCBSNC provide OPM’s
Healthcare and Insurance Office (HIO) evidence of the process change and of manager’s
review.

3. Network Security
Network security includes the policies and controls used to prevent or monitor unauthorized
access, misuse, modification, or denial of a computer network and network-accessible resources.

BCBSNC has implemented an incident response and network security program. However, we
noted several opportunities for improvement related to BCBSNC’s network security controls.

a) Vulnerabilities Identified in Automated Scans
We worked with BCBSNC employees to independently perform automated vulnerability
scans on a sample of . The results are outlined in
the sections below. BCBSNC’s failure to
promptly install all
System Patching important updates
BCBSNC has documented patch management policies and increases the risk that
procedures. However, the results of the vulnerability scans vulnerabilities will not
conducted during this audit indicate that be remediated and
were missing at least one critical patch or service sensitive information
could be stolen.
7 Report No. 1A-10-33-14-062
pack greater than 90 days old. BCBSNC did not provide evidence indicating that it was
previously aware of these missing patches and had documented its acceptance of the
associated risk.

FISCAM states that “Software should be scanned and updated frequently to guard against
known vulnerabilities.” NIST SP 800-53 Revision 4 states that the organization must
identify, report, and correct information system flaws and install security-relevant software
and firmware updates promptly.

Failure to promptly install important updates increases the risk that vulnerabilities will not be
remediated and sensitive information could be stolen.

Recommendation 3
We recommend that BCBSNC improve its procedures and controls to ensure that are
installed with appropriate patches, service packs, and hotfixes on a timely basis.

Recommendation 4
We recommend that BCBSNC improve its procedures and controls to ensure that
are installed with appropriate patches, service packs, and hotfixes on a timely
basis.

Plan Response to Recommendations 3 & 4:
“BCBSNC Security Management meets with the Security Operations team weekly and
monthly providing monitoring and oversight to ensure that the existing policies and
procedures are being followed. Vulnerabilities are assessed for risk, assigned remediation
timelines, and remediated according to the guidelines in the documented procedures.
Application supportability and availability are factors that determine and possibly dictate
timelines for deployment of patches, service packs, and hot fixes. In instances where
legacy software is needed to support BCBSNC business applications or patching would
negatively impact a BCBSNC business application, BCBSNC may seek alternate methods
to mitigate the risk by leveraging third party security tools such as
, , and .
The Plan will utilize continuous improvement for all items related to securing our
. In addition, the Plan will continue to
review and, if appropriate, update the established policies and procedures to ensure
are installed with appropriate patches, service packs, and hotfixes on a timely basis or
compensating controls are identified for significant risk items.”

8 Report No. 1A-10-33-14-062
OIG Reply:
As part of the audit resolution process, we recommend that BCBSNC provide OPM’s HIO
with evidence that it has implemented controls to ensure are
installed with appropriate patches, service packs and hotfixes on a timely basis. This
evidence should include documentation (e.g., several iterations of vulnerability scan reports)
indicating that have remained up-to-date with patches.

Noncurrent Software
The results of the vulnerability scans also indicated that
contained noncurrent software applications that were no longer supported by the vendors,
and have known security vulnerabilities. BCBSNC did not provide any evidence indicating
that it previously knew about the unsupported software and documented its acceptance of this
risk.

FISCAM states that “Procedures should ensure that only
current software releases are installed in information
contained
systems. Noncurrent software may be vulnerable to
noncurrent software
malicious code such as viruses and worms.”
applications no longer
supported by the vendors
Failure to promptly remove outdated software increases the
and known to have
risk of a successful malicious attack on the information
security vulnerabilities.
system.

Recommendation 5
We recommend that BCBSNC implement a methodology to ensure that only current and
supported versions of system software are installed .

Recommendation 6
We recommend that BCBSNC implement a methodology to ensure that only current and
supported versions of system software are installed on

Plan Response to Recommendations 5 & 6:
“BCBSNC is aware that some unsupported software runs on our network and agree it
would be preferable for all software to be at current versions. There will be occasions
where the Plan’s business and Information Technology Group (ITG) departments partner
to make risk-aware decisions to not upgrade or replace software. Software that is to
become unsupported is inventoried and the impacts of upgrading, replacing, or accepting
risk are discussed with business owners. Decisions to not upgrade low risk software may be
based on business drivers such as ‘Reliant applications are to be retired’ or ‘the Plan will
pay for extended vendor support until internal resources are available for the upgrade’. In

9 Report No. 1A-10-33-14-062
instances where legacy software is needed to support BCBSNC business applications or
patching would negatively impact a BCBSNC business application, BCBSNC may seek
alternate methods to mitigate the risk by leveraging third party security tools such as
, , and

The Plan has a Technology Roadmap in place to address software and hardware currency.
With this plan, unsupported software may be needed while ramping up the current
software and hardware. For any unsupported software in place during the audit,
compensating controls and alternate methods to mitigate any risks were in place and
continue to be monitored. The Plan continues to look for methods to improve all items
related to securing our .”

OIG Reply:
BCBSNC’s response indicated that there are business needs that require the use of
unsupported system software and that the Plan leverages third party security tools to mitigate
risk. However, we believe that in spite of these compensating controls, this weakness poses a
strong threat to the organization and increases the risk of a malicious attack exploiting these
known vulnerabilities.

We continue to recommend that BCBSNC implement a methodology to routinely remove
unsupported software from , and that this include a process for
documenting known instances of non-compliance.

4. Configuration Management
We evaluated BCBSNC’s configuration management program as it relates to the operating
platforms that support the processing of FEP claims, and determined that the following controls
were in place:
 Documented corporate configuration policy;
 Documented baseline configurations for all operating systems; and
 Thorough change management procedures for system software
and hardware. BCBSNC maintains
baseline configurations
Nothing came to our attention to indicate that BCBSNC has not for all operating
implemented adequate controls over system software management. systems.

5. Contingency Planning
We reviewed the following elements of BCBSNC’s contingency planning program to determine
whether controls were in place to prevent or minimize interruptions to business operations when
disastrous events occur:

10 Report No. 1A-10-33-14-062
 Disaster recovery plan;
 Disaster recovery plan tests;
 Business continuity plan; and
 Emergency response procedures.

We determined that the service continuity documentation contained the critical elements
suggested by NIST SP 800-34 Revision 1, “Contingency Planning Guide for Federal Information
Systems.” BCBSNC has identified and prioritized the systems and resources that are critical to
business operations, and has developed detailed procedures to recover those systems and
resources.

a) Business Continuity Plan Tests
BCBSNC delegates the responsibility for conducting Business Continuity Plan (BCP) tests to
the functional owners of each plan. Currently, there is no validation or review to ensure that
testing of each BCP is conducted in accordance with BCBSNC regulation.

NIST 800-34 Revision 1 states that “Test results and lessons learned should be . . . reviewed
by test participants and other personnel as appropriate.” Failure to have managerial review
of testing increases the risk that the organization will not be able to continue business
operations when unexpected events occur.

Recommendation 7
We recommend BCBSNC document the business continuity tests results and implement a
process for routine managerial review.

Plan Response to Recommendation 7:
“In response to this recommendation, the Plan agrees.

FEP business operations will conduct at least one physical test through either a call tree or
tabletop exercise per year. Evidence of this exercise will be maintained within the FEP
business operations area and reported to its Senior Leadership Team (SLT) representative
and the Enterprise Business Continuity (EBC) Team.

Effective immediately, the Enterprise Business Continuity (EBC) Team will reinforce its
current Business Continuity Plan policy requiring business continuity plan owners whose
plan supports a “material” or “significant” rated business process to test their business
continuity plans through facilitated exercises (e.g. tabletop exercise, call tree exercise,
etc.), maintain evidence of the exercise, and provide documentation to the EBC Team. The
EBC Team will update this policy by April 30, 2015 to indicate that such exercises be

11 Report No. 1A-10-33-14-062
conducted at least annually. The EBC Team will also monitor quarterly completion of the
exercises and review supporting documentation for adequacy.”

OIG Reply:
As part of the audit resolution process, we recommend that BCBSNC provide OPM’s HIO
evidence of the business continuity policy change and procedures for management review of
testing exercises.

b) FEP Business Continuity Plan
We determined that the business continuity policies and procedures specific to BCBSNC’s
FEP line of business could be improved.

The Plan currently conducts an informal test of the FEP call tree to ensure employees are
notified of a disaster. This current process is not defined within policies and no official
artifacts are developed in conjunction with the test and the results. NIST 800-34 Revision 1
states “Test results and lessons learned should be documented. . .” Failure to generate testing
artifacts increases the risk of inadequate testing and decreases the capacity for oversight of
the process.

Recommendation 8
We recommend BCBSNC review and amend the FEP business continuity plan and
procedures to include the necessary detail to ensure thorough business continuity tests for the
FEP business operations are routinely conducted.

Plan Response to Recommendation 8:
“In response to this recommendation, the Plan agrees. At present, we update our Business
Continuity Plan annually and our employee call tree semi annually. To strengthen the
procedures we have in place, we will conduct at least one physical test through either a call
tree or tabletop exercise per year. Evidence of this exercise will be maintained within the
FEP business operations and reported to our Senior Leadership Team (SLT)
representative and Enterprise Business Continuity staff. Where appropriate, the results of
the exercises will be incorporated into the business continuity plan.”

OIG Reply:
As part of the audit resolution process, we recommend that BCBSNC provide OPM’s HIO
evidence of the FEP business continuity plan testing.

12 Report No. 1A-10-33-14-062
6. Claims Adjudication
The following sections detail our review of the applications and business processes supporting
BCBSNC’s claims adjudication process. BCBSNC processes all FEP claims through the
BCBSA’s nationwide FEP Direct claims adjudication system.

a) Application Configuration Management
We evaluated the policies and procedures governing application development and change
control of BCBSNC’s claims processing systems.

BCBSNC has implemented policies and procedures related to application configuration
management, and has also adopted a system development life cycle methodology that IT
personnel follow during routine software modifications. We observed the following controls
related to testing and approvals of software modifications:
 BCBSNC has adopted practices that allow modifications to be tracked throughout the
change process;
 Code, unit, system, and quality testing are all conducted in accordance with industry
standards; and
 BCBSNC uses a business unit independent from the software developers to move the
code between development and production environments to ensure adequate segregation
of duties.

Nothing came to our attention to indicate that BCBSNC has not implemented adequate
controls related to the application configuration management process.

b) Claims Processing System
We evaluated the input, processing, and output controls associated with BCBSNC’s claims
processing system. We have determined the following controls are in place over BCBSNC’s
claims adjudication system:
 Routine reviews are conducted on BCBSNC’s front-end scanning process for incoming
paper claims;

 Claims are monitored as they are processed through the system; and

 Claims output files are fully reconciled.

Nothing came to our attention to indicate that BCBSNC has not implemented adequate
controls over the claims processing system.

c) Debarment
BCBSNC has adequate procedures for updating its claims system with debarred provider
information. BCBSNC receives the OPM OIG debarment list every month and makes the
appropriate updates to the FEP Direct claims processing system. Any claim submitted for a

13 Report No. 1A-10-33-14-062
debarred provider is flagged by BCBSNC to adjudicate through the OPM OIG debarment
process to include initial notification, a 15 day grace period, and then denial.

Nothing came to our attention to indicate that BCBSNC has not implemented adequate
controls over the debarment process.

14 Report No. 1A-10-33-14-062
IV. MAJOR CONTRIBUTORS TO THIS REPORT

INFORMATION SYSTEMS AUDIT GROUP

, Lead IT Auditor in Charge

, Lead IT Auditor

, IT Auditor

, Group Chief

15 Report No. 1A-10-33-14-062
APPENDIX
February 9, 2015 (Revised: May 18, 2015)

, Group Chief
Claims & IT Audits Group
Federal Employee Program
U.S. Office of Personnel Management 1310 G Street, N.W.
1900 E Street, Room 6400 Washington, D.C. 20005
202.626.4800
Washington, D.C. 20415-1100 www.BCBS.com

Reference: OPM DRAFT AUDIT REPORT
Blue Cross Blue Shield North Carolina IT Audit
Plan Code 310
Report Number 1A-10-33-14-062
(Dated December 9, 2014 and received December 9, 2014)

The following represents the Plan’s response as it relates to the recommendations
included in the draft report.

1. Security Management - No Recommendations

2. Access Controls

a. Access to BCBSNC Facilities:

Recommendation 1

We recommend that BCBSNC conduct a review of its physical access controls and
implement some form of prevention controls at its facilities entrances.

Plan Response

In response to this recommendation, we have determined that the existing physical
access controls are appropriate to minimize the likelihood of . Currently,
the plan has the following controls in place to enforce the physical access of our
buildings: electronic security technology, on-site security personnel, badge readers,
CCTV cameras, restricted access to restricted areas, security and safety policies and
procedures, door alarms etc.

Report No. 1A-10-33-14-062
b. Physical Access Recertification:

Recommendation 2

We recommend that BCBSNC implement a process for routinely auditing all active
access cards to ensure that they are not assigned to terminated employees; this
process should include written confirmation from managers.

Plan Response

In response to this recommendation, The Plan agrees to investigate and improve its
current process and remediate, as appropriate, second quarter, June 30, 2015.

3. Network Security

a. Vulnerabilities Noted in Automated Scans:

System Patching

Recommendation 3

We recommend that BCBSNC implement procedures and controls to ensure that
are installed with appropriate patches, service packs, and hotfixes on a timely
basis.

Plan Response

BCBSNC Security Management meets with the Security Operations team weekly
and monthly providing monitoring and oversight to ensure that the existing policies
and procedures are being followed. Vulnerabilities are assessed for risk, assigned
remediation timelines, and remediated according to the guidelines in the
documented procedures. Application supportability and availability are factors that
determine and possibly dictate timelines for deployment of patches, service packs,
and hot fixes. In instances where legacy software is needed to support BCBSNC
business applications or patching would negatively impact a BCBSNC business
application, BCBSNC may seek alternate methods to mitigate the risk by leveraging
third party security tools such as , ,
and . The Plan will utilize
continuous improvement for all items related to securing our

Report No. 1A-10-33-14-062
. In addition, the Plan will continue to review and, if
appropriate, update the established policies and procedures to ensure are
installed with appropriate patches, service packs, and hotfixes on a timely basis or
compensating controls are identified for significant risk items.

Recommendation 4

We recommend that BCBSNC implement procedures and controls to ensure that
are installed with appropriate patches, service packs, and hotfixes on a
timely basis.

Plan Response

b. Noncurrent Software:

Recommendation 5

We recommend that BCBSNC implement a methodology to ensure that only current
and supported versions of system software are installed on .

Plan Response

BCBSNC is aware that some unsupported software runs on our network and agree
it would be preferable for all software to be at current versions. There will be

Report No. 1A-10-33-14-062
occasions where the Plan’s business and Information Technology Group (ITG)
departments partner to make risk-aware decisions to not upgrade or replace
software. Software that is to become unsupported is inventoried and the impacts of
upgrading, replacing, or accepting risk are discussed with business owners.
Decisions to not upgrade low risk software may be based on business drivers such
as ‘Reliant applications are to be retired’ or ‘the Plan will pay for extended vendor
support until internal resources are available for the upgrade’. In instances where
legacy software is needed to support BCBSNC business applications or patching
would negatively impact a BCBSNC business application, BCBSNC may seek
alternate methods to mitigate the risk by leveraging third party security tools such
as Network Intrusion Prevention, Firewalls, Network Access Controls and advanced
malware detection tools.

The Plan has a Technology Roadmap in place to address software and hardware
currency. With this plan, unsupported software may be needed while ramping up
the current software and hardware. For any unsupported software in place during
the audit, compensating controls and alternate methods to mitigate any risks were
in place and continue to be monitored. The Plan continues to look for methods to
improve all items related to securing our

Recommendation 6

We recommend that BCBSNC implement a methodology to ensure that only current
and supported versions of system software are installed on the user

Plan Response

BCBSNC is aware that some unsupported software runs on the
and agree it would be preferable for all software to be at current versions. There will
be occasions where the Plan’s business and Information Technology Group (ITG)
departments partner to make risk-aware decisions to not upgrade or replace
software. Software that is to become unsupported is inventoried and the impacts of
upgrading, replacing, or accepting risk are discussed with business owners.
Decisions to not upgrade low risk software may be based on business drivers such
as ‘Reliant applications are to be retired’ or ‘the Plan will pay for extended vendor
support until internal resources are available for the upgrade’. In instances where
legacy software is needed to support BCBSNC business applications or patching
would negatively impact a BCBSNC business application, BCBSNC may seek
alternate methods to mitigate the risk by leveraging third party security tools such

Report No. 1A-10-33-14-062
as Network Intrusion Prevention, Firewalls, Network Access Controls and advanced
malware detection tools.

The Plan has a Technology Roadmap in place to address software and hardware
currency. With this plan, unsupported software may be needed while ramping up
the current software and hardware. For any unsupported software in place during
the audit, compensating controls and alternate methods to mitigate any risks were
in place and continue to be monitored. The Plan continues to look for methods to
improve all items related to securing our

4. Configuration Management – No Recommendations

5. Contingency Planning

a. Business Continuity Plan Tests:

Recommendation 7

We recommend BCBSNC document the business continuity tests results and
implement a process for managerial review.

Plan Response

In response to this recommendation, the Plan agrees.

FEP business operations will conduct at least one physical test through either a call tree
or tabletop exercise per year. Evidence of this exercise will be maintained within the
FEP business operations area and reported to its Senior Leadership Team (SLT)
representative and the Enterprise Business Continuity (EBC) Team.

Effective immediately, the Enterprise Business Continuity (EBC) Team will reinforce its
current Business Continuity Plan policy requiring business continuity plan owners
whose plan supports a “material” or “significant” rated business process to test their
business continuity plans through facilitated exercises (e.g. tabletop exercise, call tree
exercise, etc.), maintain evidence of the exercise, and provide documentation to the
EBC Team. The EBC Team will update this policy by April 30, 2015 to indicate that
such exercises be conducted at least annually. The EBC Team will also monitor

Report No. 1A-10-33-14-062
quarterly completion of the exercises and review supporting documentation for
adequacy.

b. FEP Business Continuity Plan:

Recommendation 8

We recommend BCBSNC review and amend the FEP business continuity plan and
procedures to include the necessary detail to ensure thorough business continuity tests
for the FEP business operations are routinely conducted.

Plan Response

In response to this recommendation, the Plan agrees. At present, we update our
Business Continuity Plan annually and our employee call tree semi-annually. To
strengthen the procedures we have in place, we will conduct at least one physical test
through either a call tree or tabletop exercise per year. Evidence of this exercise will be
maintained within the FEP business operations and reported to our Senior Leadership
Team (SLT) representative and Enterprise Business Continuity staff. Where
appropriate, the results of the exercises will be incorporated into the business continuity
plan.

6. Claims Adjudication – No Recommendations

7. Health Insurance Portability and Accountability Act – No
Recommendations

Thank you for the opportunity to provide a response to the Draft Report. If you have
any questions in the interim, please contact at
@bcbsa.com or at .

Sincerely,

, CISA
Managing Director, FEP Program Assurance

cc: , BCBSNC
, OPM
, FEP

Report No. 1A-10-33-14-062
Report Fraud, Waste, and

Mismanagement

Fraud, waste, and mismanagement in
Government concerns everyone: Office of
the Inspector General staff, agency
employees, and the general public. We
actively solicit allegations of any inefficient
and wasteful practices, fraud, and
mismanagement related to OPM programs
and operations. You can report allegations
to us in several ways:

By Internet: http://www.opm.gov/our-inspector-general/hotline-to-
report-fraud-waste-or-abuse

By Phone: Toll Free Number: (877) 499-7295
Washington Metro Area: (202) 606-2423

By Mail: Office of the Inspector General
U.S. Office of Personnel Management
1900 E Street, NW
Room 6400
Washington, DC 20415-1100

Report No. 1A-10-33-14-062