U.S. OFFICE OF PERSONNEL MANAGEMENT
OFFICE OF THE INSPECTOR GENERAL
OFFICE OF AUDITS
Final Audit Report
AUDIT OF THE INFORMATION SYSTEMS
GENERAL AND APPLICATION CONTROLS AT
BLUE SHIELD OF CALIFORNIA
Report Number 1A-10-67-16-040
January 24, 2017
-- CAUTION --
This report has been distributed to Federal officials who are responsible for the administration of the subject program. This non-public version may
contain confidential and/or proprietary information, including information protected by the Trade Secrets Act, 18 U.S.C. § 1905, and the Privacy Act,
5 U.S.C. § 552a. Therefore, while a redacted version of this report is available under the Freedom of Information Act and made publicly available on
the OIG webpage (http://www.opm.gov/our-inspector-general), this non-public version should not be further released unless authorized by the OIG.
EXECUTIVE SUMMARY
Audit of the Information Systems General and Application Controls at
Blue Shield of California
Report No. 1A-10-67-16-040 January 24, 2017
Why Did We Conduct the Audit? What Did We Find?
Blue Shield of California (BSC) Our audit of the IT security controls of BSC determined that:
contracts with the U.S. Office of
Personnel Management as part of BSC has implemented an incident response and network
the Federal Employees Health security program. BSC has also implemented preventative
Benefits Program (FEHBP). controls at its network perimeter and performs security event
monitoring throughout the network. However, we noted one
The objectives of this audit were to area of concern related to BSC’s network security controls:
evaluate controls over the
confidentiality, integrity, and o BSC’s information systems have not been subject to full-
availability of FEHBP data scope credentialed vulnerability scans.
processed and maintained in BSC’s
information technology (IT) BSC has developed formal configuration management policies.
environment. This engagement was However, we noted several areas of concern related to BSC’s
configuration management controls:
a follow-up audit where we
performed test work that we were
restricted from completing during a o BSC’s IT environment contains systems that are running on
unsupported operating platforms.
prior audit of BSC (Report No. 1A-
10-67-14-006).
o BSC has not maintained, documented, and approved
configuration standards for each operating platform used in
What Did We Audit?
its environment.
The scope of this audit centered on o BSC’s configuration compliance auditing program could be
the information systems used by improved by incorporating the documented configuration
BSC to process and store data related standards mentioned above and by using appropriate
to insurance claims for FEHBP credentials when performing compliance scanning.
members.
______________________
Michael R. Esser
Assistant Inspector General
for Audits
i
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
ABBREVIATIONS
the Act The Federal Employees Health Benefits Act
BSC Blue Shield of California
BCBS Blue Cross Blue Shield
BCBSA Blue Cross Blue Shield Association
CFR Code of Federal Regulations
DO Director’s Office
FEHBP Federal Employees Health Benefits Program
FEP Federal Employee Program
FISCAM Federal Information Systems Control Audit Manual
GAO U.S. Government Accountability Office
IT Information Technology
NIST SP National Institute of Standards and Technology’s Special Publication
OIG Office of the Inspector General
OMB U.S. Office of Management and Budget
OPM U.S. Office of Personnel Management
Plan Blue Shield of California
ii
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
IV. MAJOR CONTRIBUTORS TO THIS REPORT
TABLE OF CONTENTS
Page
EXECUTIVE SUMMARY ......................................................................................... i
ABBREVIATIONS ..................................................................................................... ii
I. BACKGROUND ..........................................................................................................1
II. OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2
III. AUDIT FINDINGS AND RECOMMENDATIONS.................................................5
A. Network Security .....................................................................................................5
B. Configuration Management .....................................................................................7
APPENDIX: Blue Shield of California’s November 18, 2016, response to the draft
audit report, issued September 16, 2016.
REPORT FRAUD, WASTE, AND MISMANAGEMENT
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
IV. MAJOR CONTRIBUTORS
I. BACKGROUND
TO THIS REPORT
This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims by Blue Shield of California (BSC
or Plan).
The audit was conducted pursuant to FEHBP contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code
of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office
of Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the
Inspector General Act of 1978, as amended.
The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.
The Blue Cross Blue Shield Association, on behalf of participating Blue Cross and Blue Shield
(BCBS) plans, has entered into a Government-wide Service Benefit Plan contract (CS 1039) with
OPM to provide a health benefit plan authorized by the FEHB Act. The Association delegates
authority to participating local BCBS plans throughout the United States, such as BSC, to
process the health benefit claims of its federal subscribers.
The Association has established a Federal Employee Program (FEP) Director’s Office (DO) in
Washington, D.C. to provide centralized management for the Service Benefit Plan. The FEP DO
coordinates the administration of the contract with the Association, member BCBS plans, and
OPM.
1 Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
II. OBJECTIVES, SCOPE, AND METHODOLOGY
OBJECTIVES
The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
availability of FEHBP data processed and maintained in BSC’s information technology (IT)
environment. We accomplished these objectives by reviewing IT security controls related to
BSC’s network security and configuration management.
SCOPE AND METHODOLOGY
This performance audit was conducted in accordance with generally accepted government
auditing standards issued by the Comptroller General of the United States. Accordingly, we
obtained an understanding of BSC’s internal controls through interviews and observations, as
well as inspection of various documents, including IT and other related organizational policies
and procedures. This understanding of BSC’s internal controls was used in planning the audit by
determining the extent of compliance testing and other auditing procedures necessary to verify
that the internal controls were properly designed, placed in operation, and effective.
This engagement was a follow-up audit where we performed test work related to network
security and configuration management that BSC restricted us from completing during a prior
audit (Report No. 1A-10-67-14-006, issued July 9, 2014). All recommendations from the prior
audit have been closed. The business processes reviewed are primarily located in BSC’s El
Dorado Hills, California, facility.
The on-site portion of this audit was performed in May of 2016. We completed additional audit
work before and after the on-site visit at our office in Washington, D.C. The findings,
recommendations, and conclusions outlined in this report are based on the status of information
system general controls in place at BSC as of June 2016.
In conducting our audit, we relied to varying degrees on computer-generated data provided by
BSC. Due to time constraints, we did not verify the reliability of the data used to complete some
of our audit steps but we determined that it was adequate to achieve our audit objectives.
However, when our objective was to assess computer-generated data, we completed audit steps
necessary to obtain evidence that the data was valid and reliable.
In conducting this review we:
Gathered documentation and conducted interviews;
2 Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
Reviewed BSC’s business structure and environment;
Performed a risk assessment of BSC’s information systems environment and applications,
and prepared an audit program based on the assessment and the U.S. Government
Accountability Office’s (GAO) Federal Information System Controls Audit Manual
(FISCAM); and
Conducted various compliance tests to determine the extent to which established controls and
procedures are functioning as intended. As appropriate, we used judgmental sampling in
completing our compliance testing.
Various laws, regulations, and industry standards were used as a guide to evaluate BSC’s control
structure. These criteria include, but are not limited to, the following publications:
Title 48 of the Code of Federal Regulations;
U.S. Office of Management and Budget (OMB) Circular A-130, Appendix III;
OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information;
Information Technology Governance Institute’s COBIT: Control Objectives for Information
and Related Technology;
GAO’s FISCAM;
National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
Introduction to Computer Security: The NIST Handbook;
NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
Technology Systems;
NIST SP 800-41, Revision 1, Guidelines on Firewalls and Firewall Policy;
NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems
and Organizations; and
NIST SP 800-61, Revision 2, Computer Security Incident Handling Guide.
3 Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
COMPLIANCE WITH LAWS AND REGULATIONS
In conducting the audit, we performed tests to determine whether BSC’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
BSC was not in complete compliance with all standards as described in the “Audit Findings and
Recommendations” section of this report.
4 Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
III. AUDIT FINDINGS AND RECOMMENDATIONS
A. NETWORK SECURITY
Network security includes the policies and controls in place to manage and monitor the activity
of a computer network and network-accessible resources.
We noted that BSC has implemented the following network security controls:
A variety of controls protect and monitor the network perimeter. The interior network is
segmented into multiple zones with different levels of trust, and unless specifically allowed,
all cross traffic is denied;
Security event monitoring is present throughout the network. BSC has contracted with a
third party for network monitoring. This service includes consultation for system design,
implementation, and ongoing monitoring and maintenance. The overall solution provides
prevention services for HTTP/HTTPS based attacks, as well as protection against lateral
attacks across the network; and
A documented incident response program. BSC has implemented a Cyber Defense Center
with standardized procedures and provides training in response activities and forensics.
The following section documents opportunities for improvement related to BSC’s vulnerability
management program.
1) Vulnerability Management
We initiated this audit to follow-up on concerns we raised during a 2014 IT audit of BSC
regarding the organization’s vulnerability management program. In the prior audit, BSC
prohibited us from performing automated vulnerability scans on its computer servers – a
routine step in all of our IT audit engagements. In an alternate effort to meet our audit
objective we asked BSC to perform these scans on our behalf. However, BSC was unable to
successfully perform the scans on 75 percent of the servers we selected, nor was it able to
produce historical scans of the selected servers. As a result, we were unable to independently
attest that BSC had a vulnerability management program in place.
During this current audit, BSC willingly allowed us to perform our own automated
vulnerability scans and to thoroughly review its vulnerability management program.
5 Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
Our test work in this area began with interviewing BSC personnel to learn about the
organization’s procedures for performing vulnerability scans. During the interview we were
told that every computer server is scanned on a monthly basis, and that the scans are
performed using privileged user credentials that allow the scanning tool to collect all of the
data necessary for a comprehensive scan.
We subsequently requested evidence to support the statements made in the interview.
Specifically, we requested three iterations of historical vulnerability scan reports (scans from
three different months) for a sample of 20 servers. In response, BSC provided us with
screenshots (images) of the scanning tool’s configuration settings and a statement indicating
that the images “show that all systems in the list are being subject to vulnerability scans” and
that “credentialed scans are being performed.”
However, this evidence did not fully support BSC’s
statements, and we insisted BSC provide the full BSC’s vulnerability scan
historical scan reports as we had originally reports indicated that
requested. BSC ultimately provided the scan servers sampled were
reports, and these reports indicated that scanned during the three
servers were subject to a vulnerability scan months tested.
during any of the three months, and was
subject to a scan in more than one month. In addition, the content of the scan reports made it
apparent that these scans were not run with the privileges necessary to perform a thorough
analysis. BSC subsequently provided a statement acknowledging that its original attestation
that “all scans are credentialed” was not accurate, as the historical vulnerability scans were,
in fact, not run with the credentials necessary to perform a thorough scan.
The vulnerability scans that we independently performed during this audit identified several
vulnerabilities that could have been previously detected by BSC had it been routinely
running credentialed vulnerability scans on its servers. The 2014 audit report states that BSC
“has not implemented a full scope vulnerability management program for servers housed in
the data center it maintains. . . .” The test work performed during this audit indicates that this
statement is still applicable.
NIST SP 800-53, Revision 4, requires that an organization “Scans for vulnerabilities in the
information system and hosted applications” on an organization defined frequency, and that
“Privileged access authorization to selected system components facilitates more thorough
vulnerability scanning and also protects the sensitive nature of such scanning.”
6 Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
Failure to perform full scope vulnerability scanning with proper privileged user credentials
significantly decreases BSC’s ability to identify and remediate security vulnerabilities.
Recommendation 1
We recommend that BSC implement a comprehensive vulnerability management program
that includes routine credentialed vulnerability scans against all servers.
BSC Response:
“BSC agrees with this recommendation. BSC worked on the implementation of
credentialed vulnerability scanning after the OIG completed [its] on-site [fieldwork] and
completed the implementation prior to the issuance of the draft report.”
OIG Comment:
As part of the audit resolution process, we recommend that BSC provide OPM’s Healthcare
and Insurance Audit Resolution Group with evidence that it has adequately implemented this
recommendation. This statement also applies to all subsequent recommendations in this
report that BSC agrees to implement.
B. CONFIGURATION MANAGEMENT
Configuration management controls are the activities focused on establishing and maintaining
the integrity of information systems through control of processes for initializing, changing, and
monitoring the configurations of those systems throughout the system development life cycle.
We evaluated BSC’s configuration management program as it relates to the systems that support
the processing of FEHBP claims, and determined that the following controls were in place:
Configuration management policies and procedures that include defined roles and
responsibilities for the different stakeholders involved in the configuration management
process; and
Procedures for ensuring software patches are installed in a timely manner.
Although BSC has a configuration management program in place, the following sections
document several areas where this program could be improved.
7 Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
1) System Lifecycle Management
BSC’s system inventory
BSC has a policy in place that states that all operating
included operating
platforms in its environment must not have reached their
systems that are
“end-of-life” and that there must be a vendor,
unsupported,
organization, or other entity providing ongoing security
patches. However, our analysis of BSC’s system
inventory revealed that
Software vendors typically advertise the dates that they will no longer provide support or
distribute security patches for their products (referred to as end-of-life dates). In order to
avoid the risk associated with having critical business operations dependent on unsupported
software, organizations must have a process in place to anticipate end-of-life dates and phase
out such software prior to this window of exposure.
NIST SP 800-53, Revision 4, recommends that organizations replace “information system
components when support for the components is no longer available from the developer,
vendor, or manufacturer . . . .” NIST SP 800-53, Revision 4, also states that “Unsupported
components … provide a substantial opportunity for adversaries to exploit new weaknesses
discovered in the currently installed components.”
Failure to upgrade system software could result in information systems containing security
vulnerabilities to which no remediation is available.
Recommendation 2
We recommend that BSC decommission all unsupported operating systems in its
environment, and that it update its policies and procedures to include additional controls
ensuring that software is phased out before its end-of-life date.
BSC Response:
“BSC agrees with this recommendation. BSC has been addressing the decommissioning
of end-of-life systems. BSC has identified the remaining operating systems which are end-
of-life and action plans to retire them are being finalized. Action plans for these systems
and any necessary associated security exception documentation will be completed by
8 Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
. Additionally, by , BSC will also enhance our processes to
ensure software is phased out before its end-of-life date.”
2) Configuration Standards
Our 2014 audit determined that BSC did not maintain, document, or approve configuration
standards for all operating systems used in its environment. In response to the 2014 draft
audit report, BSC stated that it had implemented a new policy where the Center for Internet
Security (CIS) benchmarks would be used as a guide for developing configuration standards
for all of its servers. We noted in the 2014 final audit report that this was an improvement,
but that evidence was still needed to indicate that BSC’s configuration standards had been
customized to “include approved deviations and exceptions from CIS standard benchmarks.”
The prior recommendation was subsequently closed when BSC provided evidence that it had
developed comprehensive configuration standards that were customized to the BSC
environment and addressed deviations from the CIS benchmarks.
As part of this current audit we again requested copies of BSC’s configuration standards. In
response, BSC provided us with a limited sample of approximately 40 settings, but the
response did not include the approved value of each setting. For example, the response listed
a configurable setting of “maximum password age,” but did not indicate the actual value that
BSC had approved for this setting (i.e., how many days before a user is forced to change their
password).
The documentation provided by BSC during this audit does not indicate that the organization
has comprehensive operating system configuration standards in place. The list of
approximately 40 values that we were provided is far less comprehensive than a typical
configuration standard (e.g., the CIS benchmark), and did not include the exceptions that
were described in the documentation that BSC had previously provided to OPM in an effort
to close the 2014 audit recommendation. It appears that BSC stopped following (or did not
fully implement) the configuration standard framework that it established in response to the
2014 audit finding.
NIST SP 800-53, Revision 4, identifies the need for an
organization to establish, implement, document deviations, BSC has not developed
and monitor configuration settings. It also states that and approved
configuration settings must include “(i) registry settings; (ii) configuration
account, file, directory permission settings; and (iii) settings standards for each
for functions, ports, protocols, services, and remote operating system.
connections.”
9 Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
Failure to establish thorough system configuration standards increases the risk that
information systems may not meet performance or security requirements defined by the
organization.
Recommendation 3
We recommend that BSC formally document and approve a set of configuration standards
for each operating platform in its network environment, and that the settings reflect the most
restrictive mode consistent with the operational requirements. If BSC leverages existing
configuration standards (e.g., CIS benchmarks) as a guide, then BSC’s standards should
document the deviations and exceptions required for its unique technical environment.
BSC Response:
“BSC agrees with this recommendation. BSC has defined, risk-based configuration
standards for security for hardening for each operating platform in our network
environment. By , BSC will update our hardening framework to ensure that
our configuration standards are refreshed as new/updated CIS Benchmarks are
published.”
3) Compliance Auditing
BSC could improve its procedures by auditing the current configuration of its computer
servers against an approved standard. Our 2014 audit report indicated that BSC conducted
compliance audits on its servers using generic CIS benchmarks, but that these audits were not
fully effective as there was not a BSC-specific standard to audit against. We recommended
that BSC routinely audit security configuration settings using its own approved baselines.
This recommendation was subsequently closed when BSC provided evidence that it had
developed customized configuration standards and was routinely auditing against those
standards using an automated scanning tool.
As part of this audit we evaluated this new process and identified several areas of concern
with BSC’s compliance auditing methodology:
There were multiple servers scanned with the wrong configuration standard (e.g.,
systems were audited against settings). Auditing a system
with a configuration standard will produce little to no meaningful results. In
effect, these systems are not being subjected to compliance auditing at all;
10 Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
Multiple scans were performed without the necessary privileges to perform a thorough
analysis. Scans performed without system credentials that allow the scanning tool to
authenticate to the scan target may not be able to collect the information necessary to
audit each configuration setting;
As stated in the section above, BSC has not documented comprehensive operating system
configuration standards that are customized to its specific environment. Compliance
audits performed against generic standards are only minimally effective; and
We did not receive evidence that
FISCAM states that organizations should require, “Current configuration information [to] be
routinely monitored for accuracy. Monitoring should address the current baseline and
operational configuration of the hardware, software, and firmware that comprise the
information system.”
Failure to implement a thorough configuration compliance auditing program increases the
risk that insecurely configured servers exist undetected.
Recommendation 4
We recommend that BSC routinely audit all of its servers and against the
comprehensive configuration standards established in response to Recommendation 3. If
automated scanning tools are used to perform these audits, BSC should ensure that the tools
have the appropriate system privileges to perform a thorough scan.
BSC Response:
“BSC agrees with this recommendation. By , BSC will enhance the
routine audits of all of our servers and to ensure they are utilizing
appropriate configuration standards and that the tools used for the configuration scanning
have appropriate privileges to perform the scans.”
11 Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
APPENDIX
November 18, 2016
Federal Employee Program
1310 G Street, N.W.
Chief, Information Systems Audit Group Washington, D.C. 20005
202.942.1000
U.S. Office of Personnel Management (OPM)
Fax 202.942.1125
1900 E Street, Room 6400
Washington, D.C. 20415-1100
Reference: OPM DRAFT IT AUDIT REPORT
Blue Shield of California (BSC) Follow-up
Audit Report Number 1A-10-67-16-040
(Dated September 16, 2016)
The following represents the Plan’s response as it relates to the recommendations included in the draft
report.
A. Network Security
1. Vulnerability Management
Recommendation 1
We recommend that BSC implement a comprehensive vulnerability management program that
includes routine credentialed vulnerability scans against all servers.
Plan Response
BSC agrees with this recommendation. BSC worked on the implementation of credentialed
vulnerability scanning after the OIG completed their on-site and completed the implementation prior to
the issuance of the draft report.
B. Configuration Management
2. System Lifecycle Management
Recommendation 2
We recommend that BSC decommission all unsupported operating systems in its environment, and
that it update its policies and procedures to include additional controls ensuring that software is
phased out before its end-of-life date.
Plan Response
BSC agrees with this recommendation. BSC has been addressing the decommissioning of end-of-life
Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
systems. BSC has identified the remaining operating systems which are end-of-life and action plans
to retire them are being finalized. Action plans for these systems and any necessary associated
security exception documentation will be completed by . Additionally, by
, BSC will also enhance our processes to ensure software is phased out before its end-of-life
date.
3. Configuration Standards
Recommendation 3
We recommend BSC formally document and approve a set of configuration standards for each
operating platform in its network environment, and that the settings reflect the most restrictive mode
consistent with the operational requirements. If BSC leverages existing configuration standards (e.g.,
CIS benchmarks) as a guide, then BSC’s standards should document the deviations and exceptions
required for its unique technical environment.
Plan Response
BSC agrees with this recommendation. BSC has defined, risk-based configuration standards for
security for hardening for each operating platform in our network environment. By ,
BSC will update our hardening framework to ensure that our configuration standards are refreshed as
new/updated CIS Benchmarks are published.
4. Compliance Auditing
Recommendation 4
We recommend BSC routinely audit all of its servers and against the appropriate
configuration standards. If automated scanning tools are used to perform these audits, BSC should
ensure that the tools have the appropriate system privileges to perform a thorough scan.
Plan Response
BSC agrees with this recommendation. By , BSC will enhance the routine audits of
all of our servers and to ensure they are utilizing appropriate configuration standards
and that the tools used for the configuration scanning have appropriate privileges to perform the
scans.
We appreciate the opportunity to provide our response to each of the recommendations in this report and
request that our comments be included in their entirety and are made a part of the Final Audit Report. If
you have any questions, please contact me at or at .
Sincerely,
, CISA
Managing Director, FEP Program Assurance
Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
cc: , FEP
, FEP
Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
Report Fraud, Waste, and
Mismanagement
Fraud, waste, and mismanagement in
Government concerns everyone: Office of
the Inspector General staff, agency
employees, and the general public. We
actively solicit allegations of any inefficient
and wasteful practices, fraud, and
mismanagement related to OPM programs
and operations. You can report allegations
to us in several ways:
By Internet: http://www.opm.gov/our-inspector-general/hotline-to-
report-fraud-waste-or-abuse
By Phone: Toll Free Number: (877) 499-7295
Washington Metro Area: (202) 606-2423
By Mail: Office of the Inspector General
U.S. Office of Personnel Management
1900 E Street, NW
Room 6400
Washington, DC 20415-1100
-- CAUTION --
This report has been distributed to Federal officials who are responsible for the administration of the subject program. This non-public
version may contain confidential and/or proprietary information, including information protected by the Trade Secrets Act, 18 U.S.C. §
1905, and the Privacy Act, 5 U.S.C. § 552a. Therefore, while a redacted version of this report is available under the Freedom of
Information Act and made publicly available on the OIG webpage (http://www.opm.gov/our-inspector-general), this non-public version
should not be further released unless authorized by the OIG.
Audit of the Information Systems General and Application Controls at Blue Shield of California
Published by the Office of Personnel Management, Office of Inspector General on 2017-01-24.
Below is a raw (and likely hideous) rendition of the original report. (PDF)