oversight

Audit of the Information Systems General and Application Controls at Anthem Blue Cross Blue Shield

Published by the Office of Personnel Management, Office of Inspector General on 2016-08-15.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

               U.S. OFFICE OF PERSONNEL
                     MANAGEMENT
           OFFICE OF THE INSPECTOR GENERAL
                    OFFICE OF AUDITS




                Final Audit Report
              AUDIT OF THE INFORMATION SYSTEMS
            GENERAL AND APPLICATION CONTROLS AT
               ANTHEM BLUE CROSS BLUE SHIELD
                                            Report Number 1A-10-62-16-003
                                                    August 15, 2016




                                                             -- CAUTION --
This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may
contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of
Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised before
releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.
                EXECUTIVE SUMMARY 

                       Audit of the Information Systems General and Application Controls at 

                                          Anthem Blue Cross Blue Shield 

Report No. 1A-10-62-16-003                                                                         August 15, 2016



 Background                              What Did We Find?
 Anthem Blue Cross Blue Shield           Our audit of the IT security controls of Anthem determined that:
 (Anthem) contracts with the U.S.        	 Anthem has implemented an incident response and network
 Office of Personnel Management as           security program. Anthem has also implemented preventative
 part of the Federal Employees               controls at the network perimeter and performs security event
 Health Benefits Program (FEHBP).            monitoring throughout the network. However, we noted
                                             several areas of concern related to Anthem’s network security
                                             controls:
 Why Did We Conduct the Audit?
                                             o	 Anthem’s computer server and database inventories

 The objectives of this audit were to
                                                revealed that Anthem has numerous servers running

 evaluate controls over the                     unsupported versions of operating systems.

 confidentiality, integrity, and             o	 Our vulnerability assessment identified numerous servers
 availability of FEHBP data                     containing vulnerabilities such as missing patches,
 processed and maintained in                    noncurrent software, and weak configuration settings. The
 Anthem’s information technology                vast majority of the servers containing vulnerabilities were
 (IT) environment. This engagement              inherited from a separate company that was recently
 was a follow-up audit where we                 acquired by Anthem. These servers were migrated into
                                                Anthem’s network before they were fully integrated into
 performed test work that we were
                                                Anthem’s vulnerability management, patching, and
 restricted from completing during a            configuration management programs.
 prior audit of Anthem (Report No.
                                          	 Anthem has developed formal configuration management
 1A-10-00-13-012). At the time of             policies, has documented security configuration settings for its
 the previous audit Anthem was                operating platforms, and performs routine configuration
 known as WellPoint, Inc.                     compliance auditing.

 What Did We Audit?
 The scope of this audit centered on
 the information systems used by
 Anthem to process and store data
 related to insurance claims for
 FEHBP members.




 ______________________
 Michael R. Esser
 Assistant Inspector General
 for Audits
                                                   i
                 ABBREVIATIONS


the Act   The Federal Employees Health Benefits Act
Anthem    Anthem Blue Cross Blue Shield
BCBS      Blue Cross Blue Shield
BCBSA     Blue Cross Blue Shield Association
CFR       Code of Federal Regulations
DO        Director’s Office
FEHBP     Federal Employees Health Benefits Program
FEP       Federal Employee Program
FISCAM    Federal Information Systems Control Audit Manual
GAO       U.S. Government Accountability Office
IT        Information Technology
NIST SP   National Institute of Standards and Technology’s Special Publication
OIG       Office of the Inspector General
OMB       U.S. Office of Management and Budget
OPM       U.S. Office of Personnel Management
Plan      Anthem Blue Cross Blue Shield




                                  ii
IV. MAJOR CONTRIBUTORS TO THIS REPORT
          TABLE OF CONTENTS

                                                                                                                           Page 

         EXECUTIVE SUMMARY ......................................................................................... i 


         ABBREVIATIONS ..................................................................................................... ii 


  I.     BACKGROUND ..........................................................................................................1 


  II.    OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2 


  III.   AUDIT FINDINGS AND RECOMMENDATIONS.................................................4

         A. Network Security .....................................................................................................4 

         B. Configuration Management .....................................................................................9 


  IV.    MAJOR CONTRIBUTORS TO THIS REPORT ..................................................11 


         APPENDIX: Anthem Blue Cross Blue Shields’s July 7, 2016 response to the draft
                   audit report, issued April 27, 2016.

         REPORT FRAUD, WASTE, AND MISMANAGEMENT
IV. MAJOR CONTRIBUTORS
            I. BACKGROUND
                       TO THIS REPORT

This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims by Anthem Blue Cross Blue
Shield (Anthem or Plan).

The audit was conducted pursuant to FEHBP contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code
of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office
of Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the
Inspector General Act of 1978, as amended.

The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.

The Blue Cross Blue Shield Association (BCBSA), on behalf of participating Blue Cross and
Blue Shield (BCBS) plans, has entered into a Government-wide Service Benefit Plan contract
(CS 1039) with OPM to provide a health benefit plan authorized by the FEHB Act. The
Association delegates authority to participating local BCBS plans throughout the United States,
such as Anthem, to process the health benefit claims of its federal subscribers.

The Association has established a Federal Employee Program (FEP) Director’s Office (DO) in
Washington, D.C. to provide centralized management for the Service Benefit Plan. The FEP DO
coordinates the administration of the contract with the Association, member BCBS plans, and
OPM.

All Anthem personnel that worked with the auditors were helpful and open to ideas and
suggestions. Their positive attitude and helpfulness throughout the audit was greatly
appreciated.




                                                1                   Report No. 1A-10-62-16-003
II. OBJECTIVES, SCOPE, AND METHODOLOGY

 Objectives

 The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
 availability of FEHBP data processed and maintained in Anthem’s information technology (IT)
 environment. We accomplished these objectives by reviewing IT security controls related to
 Anthem’s network security and configuration management.

 Scope and Methodology

 This performance audit was conducted in accordance with generally accepted government
 auditing standards issued by the Comptroller General of the United States. Accordingly, we
 obtained an understanding of Anthem’s internal controls through interviews and observations, as
 well as inspection of various documents, including IT and other related organizational policies
 and procedures. This understanding of Anthem’s internal controls was used in planning the audit
 by determining the extent of compliance testing and other auditing procedures necessary to
 verify that the internal controls were properly designed, placed in operation, and effective.

 This engagement was a follow-up audit where we performed test work that we were restricted
 from completing during a prior audit of Anthem. (Report No. 1A-10-00-13-012). At the time of
 the previous audit Anthem was known as WellPoint, Inc. All recommendations from the prior
 audit have been closed. The business processes reviewed are primarily located in Anthem’s
 Indianapolis, Indiana facility.

 The on-site portion of this audit was performed in November of 2015. We completed additional
 audit work before and after the on-site visit at our office in Washington, D.C. The findings,
 recommendations, and conclusions outlined in this report are based on the status of information
 system general controls in place at Anthem as of April 2016.

 In conducting our audit, we relied to varying degrees on computer-generated data provided by
 Anthem. Due to time constraints, we did not verify the reliability of the data used to complete
 some of our audit steps but we determined that it was adequate to achieve our audit objectives.
 However, when our objective was to assess computer-generated data, we completed audit steps
 necessary to obtain evidence that the data was valid and reliable.




                                                2                   Report No. 1A-10-62-16-003
In conducting this review we:
	 Gathered documentation and conducted interviews;
	 Reviewed Anthem’s business structure and environment;
	 Performed a risk assessment of Anthem’s information systems environment and applications,
    and prepared an audit program based on the assessment and the Government Accountability
    Office’s (GAO) Federal Information System Controls Audit Manual (FISCAM); and
	 Conducted various compliance tests to determine the extent to which established controls and
    procedures are functioning as intended. As appropriate, we used judgmental sampling in
    completing our compliance testing.

Various laws, regulations, and industry standards were used as a guide to evaluating Anthem’s
control structure. These criteria include, but are not limited to, the following publications:
	 Title 48 of the Code of Federal Regulations;
	 U.S. Office of Management and Budget (OMB) Circular A-130, Appendix III;
	 OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
   Personally Identifiable Information;
	 Information Technology Governance Institute’s COBIT: Control Objectives for Information
   and Related Technology;
	 GAO’s FISCAM;
	 National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
   Introduction to Computer Security;
	 NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
   Technology Systems;
	 NIST SP 800-41, Revision 1, Guidelines on Firewalls and Firewall Policy;
	 NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems
   and Organizations; and
	 NIST SP 800-61, Revision 2, Computer Security Incident Handling Guide.

Compliance with Laws and Regulations

In conducting the audit, we performed tests to determine whether Anthem’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
Anthem was not in complete compliance with all standards as described in the “Audit Findings
and Recommendations” section of this report.




                                                3	                  Report No. 1A-10-62-16-003
III. AUDIT FINDINGS AND RECOMMENDATIONS

A. Network Security

   Network security includes the policies and controls in place to manage and monitor the use and
   security of a computer network and network-accessible resources.

   We noted that Anthem has implemented the following network security controls: 

    Preventive controls at the network perimeter; 

    Security event monitoring throughout the network; and 

    A thorough incident response program. 


   The following sections document opportunities for improvement related to Anthem’s network
   security controls.

   1. System Lifecycle Management

      A review of Anthem’s computer server and database inventories          Anthem has
      revealed that Anthem has numerous servers running unsupported numerous servers
      versions of operating systems. Software vendors typically              running unsupported
      advertise the dates that they will no longer provide support or        versions of operating
      distribute security patches for their products (referred to as end-    systems.
      of-life dates). In order to avoid the risk associated with having
      critical business operations dependent on unsupported software, organizations should have a
      process in place to anticipate end-of-life dates and phase out the deployment of such software
      prior to this window of exposure.

      We were told that Anthem has an infrastructure lifecycle management program to eliminate
      end-of-life hardware and operating systems. The goal of the program is to
                                                                                         However,
      our review identified            servers that are running unsupported versions of operating
      systems and over      of those have not been supported for more than         . The large
      number and significant length time that servers have been unsupported indicates that
      Anthem’s infrastructure lifecycle management program is not effective in its current form.

      NIST SP 800-53, Revision 4, recommends that organizations replace “information system
      components when support for the components is no longer available from the developer,
      vendor, or manufacturer . . . .” NIST SP 800-53, Revision 4, also states that “Unsupported
      components . . . provide a substantial opportunity for adversaries to exploit new weaknesses
      discovered in the currently installed components.”


                                                  4                   Report No. 1A-10-62-16-003
Failure to upgrade system software could leave information systems vulnerable to known
attacks without the possibility of remediation.

Recommendation 1

We recommend that Anthem update its policies and procedures to ensure that information
systems are upgraded                                                   .

Anthem Response

“Anthem maintains a comprehensive infrastructure lifecycle management program; the
program is designed to ensure that server operating systems remain current and supported
by vendors.
                    A ‘refresh history’ is developed for each server and application within
the Anthem environment, detailing the current status of the server or application within
the infrastructure lifecycle.

Anthem tracks the refresh history for each server and application within its environment.
As with any business that relies on changing technology, there are certain situations in
which migrating applications to a new version would be either impractical or impossible.
For example, a mission-critical application may become unstable if migrated to a newer
operating system version. In these cases, the Anthem information security team
documents the risks associated with maintaining the application and communicates these
risks to Anthem business owners as well as IT leadership. Where appropriate, the
information security team follows an exceptions process consistent with Anthem’s
Information Security Risk Exception Request Procedure, provided as Exhibit 1.1.




                       company acquisitions were migrated into the overall Anthem
lifecycle management program, resulting in the integration of              new servers into
the Anthem environment. Following the acquisitions, Anthem surveyed and prioritized
acquired servers for refresh based on the risk profile presented. These systems were
integrated into the infrastructure lifecycle management program in
                                                                          . A screenshot
from Anthem’s Security Exception Tracker system, attached as Exhibit 1.2, provides a
sample of the documentation created describing risk mitigation efforts for servers that had
been acquired by Anthem.




                                           5                   Report No. 1A-10-62-16-003
   As part of its ongoing infrastructure lifecycle management program, in the time that has
   elapsed since the OPM completed its assessment work,

          The remaining such servers in the Anthem environment have been integrated into
   one of the following phases of the refresh process described above:




   OIG Comment

   Anthem’s response to our draft audit report discusses an “exception process” to document
   servers that are not refreshed in accordance with the organization’s infrastructure lifecycle
   management program. Although it’s beneficial to document the risk associated with
   maintaining outdated hardware or software, such documentation does little to actually reduce
   that risk. As mentioned above,              servers (        percent of all of Anthem’s servers
   according to the inventory provided during the audit) are unsupported. While we would
   expect there to be exceptions to a small population of servers, the sheer number of
   unsupported servers indicates that the infrastructure lifecycle management program is not
   operating as intended. We continue to recommend that Anthem update its policies and
   procedures to ensure that information systems are upgraded to current versions prior to the
   end of vendor support.

2. Server Migration/Integration

   We performed a credentialed vulnerability assessment using        Anthem migrated servers
   automated tools against a sample of servers selected from         into its network that were
   Anthem’s system inventory. The vulnerability assessment           not fully integrated into
   identified numerous servers containing vulnerabilities such as its vulnerability
   missing patches, noncurrent software, and weak                    management, patching,
   configuration settings. Anthem has relatively mature              or configuration
   vulnerability, patch, and configuration management                management programs.
   programs in place, so we would have expected the
   organization to have already detected these vulnerabilities and to have a corrective action
   plan in place.

   Upon further research it was determined that the vast majority of the servers containing
   vulnerabilities were previously owned and operated by another company that was recently
   acquired by Anthem. These servers were migrated into Anthem’s network, but it is apparent
   that they were not fully integrated into Anthem’s vulnerability management, patching, or
   configuration management programs.



                                                6                   Report No. 1A-10-62-16-003
We believe that Anthem should be extremely cautious when migrating new servers into its
technical environment. We acknowledge that Anthem must consider a wide variety of
business implications when it acquires new IT assets as part of a merger or acquisition, but
the risks associated with introducing vulnerabilities into the environment should be nearly
impossible to justify as a business decision. Anthem has dedicated significant time and
resources toward implementing IT controls to protect sensitive data, but the introduction of
unsecure devices could undermine these efforts.

NIST SP 800-53, Revision 4, states that the organization should scan for “vulnerabilities in
the information system and hosted applications [on a routine basis] and when new
vulnerabilities potentially affecting the system/applications are identified and reported.”
NIST SP 800-53, Revision 4, also states that security-relevant software and firmware updates
should be installed within timeframes defined by the organization. While Anthem has an
adequate process for scanning and patching most of its systems, the process should be
applied to all systems.

Recommendation 2

We recommend that Anthem determine what additional controls it can implement to ensure
that all servers are fully integrated into the Anthem configuration, patch, and vulnerability
management programs before being migrated into the network environment.

Anthem Response




                                             7                   Report No. 1A-10-62-16-003
As noted by OPM, the vast majority of the servers containing vulnerabilities were
previously owned by other companies that were recently acquired by Anthem. As with all
companies that acquire active companies that rely on existing technology to operate their
businesses, Anthem must determine how to integrate the acquired company’s technology
in a manner that is both efficient and sensitive to security concerns.

Anthem is currently reviewing its policies and procedures to further enhance its decision-
making framework governing the integration of acquired servers, including by




OIG Comment

The evidence received in response to the draft audit report indicates that Anthem’s
                                          already required servers to be integrated into
Anthem configuration, patch, and vulnerability management programs prior to deployment
into the production environment. Anthem also provided evidence that indicates that it has
additional policies that require the




This additional information increases our concern, as it demonstrates that Anthem violated its
own corporate policies by migrating these servers containing security weaknesses into its
environment. Therefore, we modified our draft report recommendation and now recommend
that Anthem determine what additional controls it can implement to ensure that all servers



                                            8                   Report No. 1A-10-62-16-003
      are fully integrated into the Anthem configuration, patch, and vulnerability management
      programs before being migrated into the network environment. Anthem’s new requirement
      to obtain the approval of the
                                         is a good first step in this process.

      Recommendation 3

      We recommend that Anthem provide evidence that the vulnerability and configuration issues
      identified in our assessment specific to the acquired company’s servers have been
      remediated.

      Anthem Response

      “Anthem will be providing the evidence requested by OPM through established channels.
      This evidence demonstrates that the vulnerabilities or configuration management issues
      identified by OPM have been addressed within the Anthem environment. If OPM does not
      agree that these issues have been remediated, Anthem would appreciate the opportunity to
      provide additional evidence to OPM prior to publication of OPM’s final report.”

      OIG Comment

      As a part of the audit resolution process, we recommend Anthem provide OPM’s Healthcare
      and Insurance Audit Resolution Group with evidence that it has remediated the vulnerability
      and configuration issues identified in our assessment specific to the acquired company’s
      servers.

B. Configuration Management

   Configuration management controls are the policies and            Anthem has documented
   procedures that ensure that system software such as operating     security configuration
   systems and databases are configured securely. We evaluated       settings for its operating
   Anthem’s configuration management program as it relates to the    platforms and performs
   systems that support the processing of FEHBP claims, and          routine configuration
   determined that the following controls were in place:             compliance auditing.
    Configuration management policies and procedures; 

    Documented baseline configurations for all operating systems in use; 

    Routine configuration compliance auditing; and

    A system software change control process. 





                                                 9                   Report No. 1A-10-62-16-003
Although Anthem has a mature configuration management program in place, as mentioned
above, these controls have not yet been applied to at least one set of servers that were acquired
from another company. We reiterate the importance of enforcing configuration management
controls to all devices in Anthem’s network.




                                                10                   Report No. 1A-10-62-16-003
IV. MAJOR CONTRIBUTORS TO THIS REPORT

INFORMATION SYSTEMS AUDIT GROUP

         , IT Auditor
             , IT Auditor



              , Senior Team Leader
           , Group Chief




                                     11   Report No. 1A-10-62-16-003
                                 APPENDIX



                                                                          Federal Employee Program
                                                                          1310 G Street, N.W.
                                                                          Washington, D.C. 20005
                                                                          202.626.4800
                                                                          www.BCBS.com




July 7, 2016


Chief, Information Systems Audits Group
U.S. Office of Personnel Management (OPM)
1900 E Street, Room 6400
Washington, D.C. 20415-1100

Reference: OPM DRAFT IT AUDIT REPORT
           Anthem Blue Cross Blue Shield Follow-Up
           Audit Report Number 1A-10-62-16-003
           (Dated April 27, 2016)

Dear     :

Please find enclosed a copy of Anthem’s responses to the Office of the Inspector
General (OIG) recommendations included in the draft audit report of the information
technology audit conducted of Anthem, Inc. and dated April 27, 2016. If you have any
questions or concerns, please do not hesitate to contact me at               .

Sincerely,

 


Managing Director
FEP Program Assurance




                                                            Report No. 1A-10-62-16-003
July 5, 2016


Chief, Information Systems Audits Group
U.S. Office of Personnel Management (OPM)
1900 E Street, Room 6400
Washington, D.C. 20415-1100

Reference: OPM DRAFT IT AUDIT REPORT
           Anthem Blue Cross Blue Shield Follow-Up
           Audit Report Number 1A-10-62-16-003
           (Dated April 27, 2016)

The following represents the Response of Anthem, Inc. to the recommendations
included in the draft report of the audit conducted by the Office of the Inspector General
at the U.S. Office of Personal Management (OPM). Anthem has appreciated the
opportunity to work with OPM’s auditors throughout this process.

Anthem’s Response contains confidential, proprietary and/or trade secret information of
Anthem and/or its affiliated entities and customers. The public use or disclosure of the
information provided in this response would cause harm, including competitive harm, to
the Company. The information provided Anthem’s Response is exempt from public
disclosure pursuant to the Freedom of Information Act (FOIA) regulations, 5 U.S.C.
§ 552. Accordingly, the information provided in this Response, as well as
corresponding documentation, may not be released in response to a freedom of
information request or under any other circumstances. Should OPM determine that any
portion of the information and documentation provided is not exempt from disclosure,
Anthem requests that OPM provide two weeks’ notice of such determination so that
Anthem may take appropriate steps, including obtaining an appropriate protective order
or other relief from a court of competent jurisdiction, to protect this information from
disclosure. Anthem expressly reserves any applicable privileges or immunities to which
it is entitled by applicable law.

Similarly, the current draft of OPM’s findings and recommendations also contains
confidential, proprietary and/or trade secret information of Anthem and/or its affiliated
entities, the public disclosure of which would cause harm, including competitive harm, to
Anthem and/or its affiliated entities and customers. For that reason, Anthem will submit
a version OPM’s draft report that redacts out this highly sensitive information. We repeat
the requests in the above paragraph with respect to FOIA and the opportunity to take
appropriate steps before any of the redacted information is produced or disclosed.
Anthem also requests an opportunity to review the final version of OPM’s report, before
that document becomes public, in order to review that final report for confidential,



                                                              Report No. 1A-10-62-16-003
proprietary and/or trade secret information and propose redactions to the final report to
protect such information from public disclosure.

We appreciate the opportunity to provide our response to each of the recommendations
in this report and request that our comments be incorporated into the Final Audit Report.
If you have any questions, please contact me at                 .

Sincerely,



Director, FEP Compliance/Internal Control

cc:




                                                              Report No. 1A-10-62-16-003
              Anthem’s Comments Related to Draft Recommendations


A. Network Security

Plan Response

The network security controls noted by OPM describe a subset of Anthem’s comprehensive
network security program. Among the information omitted from the description is the fact that
Anthem operates a Cyber Security Operations Center (“CSOC”).




1. System Lifecycle Management

   Recommendation 1

   We recommend that Anthem update its policies and procedures to ensure that information
   systems are upgraded to current versions prior to the end of vendor support.

   Anthem Response

   Anthem maintains a comprehensive infrastructure lifecycle management program; the
   program is designed to ensure that server operating systems remain current and supported
   by vendors.
                         A “refresh history” is developed for each server and application within
   the Anthem environment, detailing the current status of the server or application within the
   infrastructure lifecycle.

   Anthem tracks the refresh history for each server and application within its environment. As
   with any business that relies on changing technology, there are certain situations in which
   migrating applications to a new version would be either impractical or impossible.

                              In these cases, the Anthem information security team documents
   the risks associated with maintaining the application and communicates these risks to
   Anthem business owners as well as IT leadership. Where appropriate, the information
   security team follows an exceptions process consistent with Anthem’s Information Security
   Risk Exception Request Procedure, provided as Exhibit 1.1.




                           company acquisitions were migrated into the overall Anthem lifecycle
   management program, resulting in the integration of              new servers into the
   Anthem environment. Following the acquisitions, Anthem surveyed and prioritized acquired
   servers for refresh based on the risk profile presented. These systems were integrated into
   the infrastructure lifecycle management program in



                                                                   Report No. 1A-10-62-16-003
                                                             . A screenshot from Anthem’s
   Security Exception Tracker system, attached as Exhibit 1.2, provides a sample of the
   documentation created describing risk mitigation efforts for servers that had been acquired
   by Anthem.

   As part of its ongoing infrastructure lifecycle management program, in the time that has
   elapsed since the OPM completed its assessment work,

           The remaining such servers in the Anthem environment have been integrated into
   one of the following phases of the refresh process described above:



2. Server Migration/Integration

   Recommendation 2

   We recommend that Anthem update its policies and procedures to require all servers
   to be fully integrated into the Anthem configuration, patch, and vulnerability
   management program before being migrated into the network environment.

   Plan Response




                                                                  Report No. 1A-10-62-16-003
As noted by OPM, the vast majority of the servers containing vulnerabilities were previously
owned by other companies                                           . As with all companies
that acquire active companies that rely on existing technology to operate their businesses,
Anthem must determine how to integrate the                      technology in a manner that
is both efficient and sensitive to security concerns.

Anthem is currently reviewing its policies and procedures to further enhance its decision-
making framework governing the integration of acquired servers, including by



Recommendation 3
We recommend that Anthem provide evidence that the vulnerability and configuration
issues identified in our assessment specific to the acquired company’s servers have been
remediated.

Plan Response

Anthem will be providing the evidence requested by OPM through established channels. This
evidence demonstrates that the vulnerabilities or configuration management issues identified
by OPM have been addressed within the Anthem environment. If OPM does not agree that
these issues have been remediated, Anthem would appreciate the opportunity to provide
additional evidence to OPM prior to publication of OPM’s final report.




                                                              Report No. 1A-10-62-16-003
                                                                             



               Report Fraud, Waste, and
                   Mismanagement 


                        Fraud, waste, and mismanagement in
                     Government concerns everyone: Office of
                         the Inspector General staff, agency
                      employees, and the general public. We
                    actively solicit allegations of any inefficient
                          and wasteful practices, fraud, and
                     mismanagement related to OPM programs
                    and operations. You can report allegations
                                to us in several ways:


     By Internet:        http://www.opm.gov/our-inspector-general/hotline-to-
                         report-fraud-waste-or-abuse


      By Phone:          Toll Free Number:                  (877) 499-7295
                         Washington Metro Area:             (202) 606-2423


        By Mail:         Office of the Inspector General
                         U.S. Office of Personnel Management
                         1900 E Street, NW
                         Room 6400
                         Washington, DC 20415-1100