oversight

Audit of the Information Systems General and Application Controls at Blue Shield of California

Published by the Office of Personnel Management, Office of Inspector General on 2017-01-24.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

        U.S. OFFICE OF PERSONNEL MANAGEMENT
           OFFICE OF THE INSPECTOR GENERAL
                    OFFICE OF AUDITS




               Final Audit Report
              AUDIT OF THE INFORMATION SYSTEMS
            GENERAL AND APPLICATION CONTROLS AT
                  BLUE SHIELD OF CALIFORNIA
                                            Report Number 1A-10-67-16-040
                                                   January 24, 2017




                                                               -- CAUTION --

 This report has been distributed to Federal officials who are responsible for the administration of the subject program. This non-public version may
contain confidential and/or proprietary information, including information protected by the Trade Secrets Act, 18 U.S.C. § 1905, and the Privacy Act,
5 U.S.C. § 552a. Therefore, while a redacted version of this report is available under the Freedom of Information Act and made publicly available on
  the OIG webpage (http://www.opm.gov/our-inspector-general), this non-public version should not be further released unless authorized by the OIG.
                 EXECUTIVE SUMMARY 

                          Audit of the Information Systems General and Application Controls at 

                                                 Blue Shield of California

Report No. 1A-10-67-16-040                                                                                                                  January 24, 2017



 Why Did We Conduct the Audit?                            What Did We Find?

 Blue Shield of California (BSC)                          Our audit of the IT security controls of BSC determined that:
 contracts with the U.S. Office of
 Personnel Management as part of                          	 BSC has implemented an incident response and network
 the Federal Employees Health                                security program. BSC has also implemented preventative
 Benefits Program (FEHBP).                                   controls at its network perimeter and performs security event
                                                             monitoring throughout the network. However, we noted one
 The objectives of this audit were to                        area of concern related to BSC’s network security controls:
 evaluate controls over the
 confidentiality, integrity, and                               o	 BSC’s information systems have not been subject to full-
 availability of FEHBP data                                       scope credentialed vulnerability scans.
 processed and maintained in BSC’s
 information technology (IT)                              	 BSC has developed formal configuration management policies.
 environment. This engagement was                            However, we noted several areas of concern related to BSC’s
                                                             configuration management controls:
 a follow-up audit where we
 performed test work that we were
 restricted from completing during a                           o	 BSC’s IT environment contains systems that are running on
                                                                  unsupported operating platforms.
 prior audit of BSC (Report No. 1A-
 10-67-14-006).
                                                               o	 BSC has not maintained, documented, and approved
                                                                  configuration standards for each operating platform used in
 What Did We Audit?
                                                                  its environment.

 The scope of this audit centered on                           o	 BSC’s configuration compliance auditing program could be
 the information systems used by                                  improved by incorporating the documented configuration
 BSC to process and store data related                            standards mentioned above and by using appropriate
 to insurance claims for FEHBP                                    credentials when performing compliance scanning.
 members.



 ______________________
 Michael R. Esser
 Assistant Inspector General
 for Audits
                                                                         i
           This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                           information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                            ABBREVIATIONS


    the Act                    The Federal Employees Health Benefits Act
    BSC                        Blue Shield of California
    BCBS                       Blue Cross Blue Shield
    BCBSA                      Blue Cross Blue Shield Association
    CFR                        Code of Federal Regulations
    DO                         Director’s Office
    FEHBP                      Federal Employees Health Benefits Program
    FEP                        Federal Employee Program
    FISCAM                     Federal Information Systems Control Audit Manual
    GAO                        U.S. Government Accountability Office
    IT                         Information Technology
    NIST SP                    National Institute of Standards and Technology’s Special Publication
    OIG                        Office of the Inspector General
    OMB                        U.S. Office of Management and Budget
    OPM                        U.S. Office of Personnel Management
    Plan                       Blue Shield of California




                                                                       ii

This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
IV. MAJOR CONTRIBUTORS TO THIS REPORT
          TABLE OF CONTENTS

                                                                                                                                           Page
                 EXECUTIVE SUMMARY ......................................................................................... i

                 ABBREVIATIONS ..................................................................................................... ii 


     I.          BACKGROUND ..........................................................................................................1 


     II.         OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2

     III.        AUDIT FINDINGS AND RECOMMENDATIONS.................................................5

                 A. Network Security .....................................................................................................5

                 B. Configuration Management .....................................................................................7

                 APPENDIX: Blue Shield of California’s November 18, 2016, response to the draft
                           audit report, issued September 16, 2016.

                 REPORT FRAUD, WASTE, AND MISMANAGEMENT




 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                 information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
IV. MAJOR CONTRIBUTORS
            I. BACKGROUND
                       TO THIS REPORT

This final report details the findings, conclusions, and recommendations resulting from the audit
of general and application controls over the information systems responsible for processing
Federal Employees Health Benefits Program (FEHBP) claims by Blue Shield of California (BSC
or Plan).

The audit was conducted pursuant to FEHBP contract CS 1039; 5 U.S.C. Chapter 89; and 5 Code
of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office
of Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the
Inspector General Act of 1978, as amended.

The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on
September 28, 1959. The FEHBP was created to provide health insurance benefits for federal
employees, annuitants, and qualified dependents. The provisions of the Act are implemented by
OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance
coverage is made available through contracts with various carriers that provide service benefits,
indemnity benefits, or comprehensive medical services.

The Blue Cross Blue Shield Association, on behalf of participating Blue Cross and Blue Shield
(BCBS) plans, has entered into a Government-wide Service Benefit Plan contract (CS 1039) with
OPM to provide a health benefit plan authorized by the FEHB Act. The Association delegates
authority to participating local BCBS plans throughout the United States, such as BSC, to
process the health benefit claims of its federal subscribers.

The Association has established a Federal Employee Program (FEP) Director’s Office (DO) in
Washington, D.C. to provide centralized management for the Service Benefit Plan. The FEP DO
coordinates the administration of the contract with the Association, member BCBS plans, and
OPM.




                                                                        1                             Report No. 1A-10-67-16-040
 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                 information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
II. OBJECTIVES, SCOPE, AND METHODOLOGY
 OBJECTIVES

 The objectives of this audit were to evaluate controls over the confidentiality, integrity, and
 availability of FEHBP data processed and maintained in BSC’s information technology (IT)
 environment. We accomplished these objectives by reviewing IT security controls related to
 BSC’s network security and configuration management.

 SCOPE AND METHODOLOGY

 This performance audit was conducted in accordance with generally accepted government
 auditing standards issued by the Comptroller General of the United States. Accordingly, we
 obtained an understanding of BSC’s internal controls through interviews and observations, as
 well as inspection of various documents, including IT and other related organizational policies
 and procedures. This understanding of BSC’s internal controls was used in planning the audit by
 determining the extent of compliance testing and other auditing procedures necessary to verify
 that the internal controls were properly designed, placed in operation, and effective.

 This engagement was a follow-up audit where we performed test work related to network
 security and configuration management that BSC restricted us from completing during a prior
 audit (Report No. 1A-10-67-14-006, issued July 9, 2014). All recommendations from the prior
 audit have been closed. The business processes reviewed are primarily located in BSC’s El
 Dorado Hills, California, facility.

 The on-site portion of this audit was performed in May of 2016. We completed additional audit
 work before and after the on-site visit at our office in Washington, D.C. The findings,
 recommendations, and conclusions outlined in this report are based on the status of information
 system general controls in place at BSC as of June 2016.

 In conducting our audit, we relied to varying degrees on computer-generated data provided by
 BSC. Due to time constraints, we did not verify the reliability of the data used to complete some
 of our audit steps but we determined that it was adequate to achieve our audit objectives.
 However, when our objective was to assess computer-generated data, we completed audit steps
 necessary to obtain evidence that the data was valid and reliable.

 In conducting this review we:

    Gathered documentation and conducted interviews;
                                              2                                                       Report No. 1A-10-67-16-040
 This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                 information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
	 Reviewed BSC’s business structure and environment;

	 Performed a risk assessment of BSC’s information systems environment and applications,
   and prepared an audit program based on the assessment and the U.S. Government
   Accountability Office’s (GAO) Federal Information System Controls Audit Manual
   (FISCAM); and

	 Conducted various compliance tests to determine the extent to which established controls and
   procedures are functioning as intended. As appropriate, we used judgmental sampling in
   completing our compliance testing.

Various laws, regulations, and industry standards were used as a guide to evaluate BSC’s control
structure. These criteria include, but are not limited to, the following publications:

	 Title 48 of the Code of Federal Regulations;

	 U.S. Office of Management and Budget (OMB) Circular A-130, Appendix III;

	 OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of
   Personally Identifiable Information;

	 Information Technology Governance Institute’s COBIT: Control Objectives for Information
   and Related Technology;

	 GAO’s FISCAM;

	 National Institute of Standards and Technology’s Special Publication (NIST SP) 800-12,
   Introduction to Computer Security: The NIST Handbook;

	 NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
   Technology Systems;

	 NIST SP 800-41, Revision 1, Guidelines on Firewalls and Firewall Policy;

	 NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems
   and Organizations; and

	 NIST SP 800-61, Revision 2, Computer Security Incident Handling Guide.

                                                                       3	                            Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
COMPLIANCE WITH LAWS AND REGULATIONS

In conducting the audit, we performed tests to determine whether BSC’s practices were
consistent with applicable standards. While generally compliant, with respect to the items tested,
BSC was not in complete compliance with all standards as described in the “Audit Findings and
Recommendations” section of this report.




                                                                       4                             Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
III. AUDIT FINDINGS AND RECOMMENDATIONS

A. NETWORK SECURITY

  Network security includes the policies and controls in place to manage and monitor the activity
  of a computer network and network-accessible resources.

  We noted that BSC has implemented the following network security controls:

  	 A variety of controls protect and monitor the network perimeter. The interior network is
     segmented into multiple zones with different levels of trust, and unless specifically allowed,
     all cross traffic is denied;

  	 Security event monitoring is present throughout the network. BSC has contracted with a
     third party for network monitoring. This service includes consultation for system design,
     implementation, and ongoing monitoring and maintenance. The overall solution provides
     prevention services for HTTP/HTTPS based attacks, as well as protection against lateral
     attacks across the network; and

  	 A documented incident response program. BSC has implemented a Cyber Defense Center
     with standardized procedures and provides training in response activities and forensics.

  The following section documents opportunities for improvement related to BSC’s vulnerability
  management program.

  1) Vulnerability Management

      We initiated this audit to follow-up on concerns we raised during a 2014 IT audit of BSC
      regarding the organization’s vulnerability management program. In the prior audit, BSC
      prohibited us from performing automated vulnerability scans on its computer servers – a
      routine step in all of our IT audit engagements. In an alternate effort to meet our audit
      objective we asked BSC to perform these scans on our behalf. However, BSC was unable to
      successfully perform the scans on 75 percent of the servers we selected, nor was it able to
      produce historical scans of the selected servers. As a result, we were unable to independently
      attest that BSC had a vulnerability management program in place.

      During this current audit, BSC willingly allowed us to perform our own automated
      vulnerability scans and to thoroughly review its vulnerability management program.

                                                                         5	                            Report No. 1A-10-67-16-040
  This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                  information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
    Our test work in this area began with interviewing BSC personnel to learn about the
    organization’s procedures for performing vulnerability scans. During the interview we were
    told that every computer server is scanned on a monthly basis, and that the scans are
    performed using privileged user credentials that allow the scanning tool to collect all of the
    data necessary for a comprehensive scan.

    We subsequently requested evidence to support the statements made in the interview.
    Specifically, we requested three iterations of historical vulnerability scan reports (scans from
    three different months) for a sample of 20 servers. In response, BSC provided us with
    screenshots (images) of the scanning tool’s configuration settings and a statement indicating
    that the images “show that all systems in the list are being subject to vulnerability scans” and
    that “credentialed scans are being performed.”

    However, this evidence did not fully support BSC’s
    statements, and we insisted BSC provide the full            BSC’s vulnerability scan
    historical scan reports as we had originally                reports indicated that
    requested. BSC ultimately provided the scan                        servers sampled were
    reports, and these reports indicated that                   scanned during the three
        servers were subject to a vulnerability scan            months tested.
    during any of the three months, and             was
    subject to a scan in more than one month. In addition, the content of the scan reports made it
    apparent that these scans were not run with the privileges necessary to perform a thorough
    analysis. BSC subsequently provided a statement acknowledging that its original attestation
    that “all scans are credentialed” was not accurate, as the historical vulnerability scans were,
    in fact, not run with the credentials necessary to perform a thorough scan.

    The vulnerability scans that we independently performed during this audit identified several
    vulnerabilities that could have been previously detected by BSC had it been routinely
    running credentialed vulnerability scans on its servers. The 2014 audit report states that BSC
    “has not implemented a full scope vulnerability management program for servers housed in
    the data center it maintains. . . .” The test work performed during this audit indicates that this
    statement is still applicable.

    NIST SP 800-53, Revision 4, requires that an organization “Scans for vulnerabilities in the
    information system and hosted applications” on an organization defined frequency, and that
    “Privileged access authorization to selected system components facilitates more thorough
    vulnerability scanning and also protects the sensitive nature of such scanning.”



                                                                       6                             Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
      Failure to perform full scope vulnerability scanning with proper privileged user credentials
      significantly decreases BSC’s ability to identify and remediate security vulnerabilities.

      Recommendation 1

      We recommend that BSC implement a comprehensive vulnerability management program
      that includes routine credentialed vulnerability scans against all servers.

      BSC Response:

      “BSC agrees with this recommendation. BSC worked on the implementation of
      credentialed vulnerability scanning after the OIG completed [its] on-site [fieldwork] and
      completed the implementation prior to the issuance of the draft report.”

      OIG Comment:

      As part of the audit resolution process, we recommend that BSC provide OPM’s Healthcare
      and Insurance Audit Resolution Group with evidence that it has adequately implemented this
      recommendation. This statement also applies to all subsequent recommendations in this
      report that BSC agrees to implement.

B. CONFIGURATION MANAGEMENT

 Configuration management controls are the activities focused on establishing and maintaining
 the integrity of information systems through control of processes for initializing, changing, and
 monitoring the configurations of those systems throughout the system development life cycle.
 We evaluated BSC’s configuration management program as it relates to the systems that support
 the processing of FEHBP claims, and determined that the following controls were in place:

 	 Configuration management policies and procedures that include defined roles and
    responsibilities for the different stakeholders involved in the configuration management
    process; and

 	 Procedures for ensuring software patches are installed in a timely manner.

 Although BSC has a configuration management program in place, the following sections 

 document several areas where this program could be improved. 




                                                                         7	                            Report No. 1A-10-67-16-040
  This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                  information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
1) System Lifecycle Management

                                                                                                    BSC’s system inventory
    BSC has a policy in place that states that all operating
                                                                                                    included operating
    platforms in its environment must not have reached their
                                                                                                    systems that are
    “end-of-life” and that there must be a vendor,
                                                                                                    unsupported,
    organization, or other entity providing ongoing security
    patches. However, our analysis of BSC’s system
    inventory revealed that
                                                             

                                                                                              


    Software vendors typically advertise the dates that they will no longer provide support or
    distribute security patches for their products (referred to as end-of-life dates). In order to
    avoid the risk associated with having critical business operations dependent on unsupported
    software, organizations must have a process in place to anticipate end-of-life dates and phase
    out such software prior to this window of exposure.

    NIST SP 800-53, Revision 4, recommends that organizations replace “information system
    components when support for the components is no longer available from the developer,
    vendor, or manufacturer . . . .” NIST SP 800-53, Revision 4, also states that “Unsupported
    components … provide a substantial opportunity for adversaries to exploit new weaknesses
    discovered in the currently installed components.”

    Failure to upgrade system software could result in information systems containing security
    vulnerabilities to which no remediation is available.

    Recommendation 2

    We recommend that BSC decommission all unsupported operating systems in its
    environment, and that it update its policies and procedures to include additional controls
    ensuring that software is phased out before its end-of-life date.

    BSC Response:

    “BSC agrees with this recommendation. BSC has been addressing the decommissioning
    of end-of-life systems. BSC has identified the remaining operating systems which are end-
    of-life and action plans to retire them are being finalized. Action plans for these systems
    and any necessary associated security exception documentation will be completed by


                                                                       8                             Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                   . Additionally, by                  , BSC will also enhance our processes to
    ensure software is phased out before its end-of-life date.”

2) Configuration Standards

    Our 2014 audit determined that BSC did not maintain, document, or approve configuration
    standards for all operating systems used in its environment. In response to the 2014 draft
    audit report, BSC stated that it had implemented a new policy where the Center for Internet
    Security (CIS) benchmarks would be used as a guide for developing configuration standards
    for all of its servers. We noted in the 2014 final audit report that this was an improvement,
    but that evidence was still needed to indicate that BSC’s configuration standards had been
    customized to “include approved deviations and exceptions from CIS standard benchmarks.”
    The prior recommendation was subsequently closed when BSC provided evidence that it had
    developed comprehensive configuration standards that were customized to the BSC
    environment and addressed deviations from the CIS benchmarks.

    As part of this current audit we again requested copies of BSC’s configuration standards. In
    response, BSC provided us with a limited sample of approximately 40 settings, but the
    response did not include the approved value of each setting. For example, the response listed
    a configurable setting of “maximum password age,” but did not indicate the actual value that
    BSC had approved for this setting (i.e., how many days before a user is forced to change their
    password).

    The documentation provided by BSC during this audit does not indicate that the organization
    has comprehensive operating system configuration standards in place. The list of
    approximately 40 values that we were provided is far less comprehensive than a typical
    configuration standard (e.g., the CIS benchmark), and did not include the exceptions that
    were described in the documentation that BSC had previously provided to OPM in an effort
    to close the 2014 audit recommendation. It appears that BSC stopped following (or did not
    fully implement) the configuration standard framework that it established in response to the
    2014 audit finding.

    NIST SP 800-53, Revision 4, identifies the need for an
    organization to establish, implement, document deviations,                                           BSC has not developed
    and monitor configuration settings. It also states that                                              and approved
    configuration settings must include “(i) registry settings; (ii)                                     configuration
    account, file, directory permission settings; and (iii) settings                                     standards for each
    for functions, ports, protocols, services, and remote                                                operating system.
    connections.”
                                                                       9                             Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
    Failure to establish thorough system configuration standards increases the risk that
    information systems may not meet performance or security requirements defined by the
    organization.

    Recommendation 3

    We recommend that BSC formally document and approve a set of configuration standards
    for each operating platform in its network environment, and that the settings reflect the most
    restrictive mode consistent with the operational requirements. If BSC leverages existing
    configuration standards (e.g., CIS benchmarks) as a guide, then BSC’s standards should
    document the deviations and exceptions required for its unique technical environment.

    BSC Response:

    “BSC agrees with this recommendation. BSC has defined, risk-based configuration
    standards for security for hardening for each operating platform in our network
    environment. By                 , BSC will update our hardening framework to ensure that
    our configuration standards are refreshed as new/updated CIS Benchmarks are
    published.”

3) Compliance Auditing

    BSC could improve its procedures by auditing the current configuration of its computer
    servers against an approved standard. Our 2014 audit report indicated that BSC conducted
    compliance audits on its servers using generic CIS benchmarks, but that these audits were not
    fully effective as there was not a BSC-specific standard to audit against. We recommended
    that BSC routinely audit security configuration settings using its own approved baselines.
    This recommendation was subsequently closed when BSC provided evidence that it had
    developed customized configuration standards and was routinely auditing against those
    standards using an automated scanning tool.

    As part of this audit we evaluated this new process and identified several areas of concern
    with BSC’s compliance auditing methodology:

    	 There were multiple servers scanned with the wrong configuration standard (e.g.,
       systems were audited against                         settings). Auditing a         system
       with a            configuration standard will produce little to no meaningful results. In
       effect, these systems are not being subjected to compliance auditing at all;


                                                                      10 	                           Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
    	 Multiple scans were performed without the necessary privileges to perform a thorough
       analysis. Scans performed without system credentials that allow the scanning tool to
       authenticate to the scan target may not be able to collect the information necessary to
       audit each configuration setting;

    	 As stated in the section above, BSC has not documented comprehensive operating system
       configuration standards that are customized to its specific environment. Compliance
       audits performed against generic standards are only minimally effective; and

    	 We did not receive evidence that




    FISCAM states that organizations should require, “Current configuration information [to] be
    routinely monitored for accuracy. Monitoring should address the current baseline and
    operational configuration of the hardware, software, and firmware that comprise the
    information system.”

    Failure to implement a thorough configuration compliance auditing program increases the
    risk that insecurely configured servers exist undetected.

    Recommendation 4

    We recommend that BSC routinely audit all of its servers and                   against the
    comprehensive configuration standards established in response to Recommendation 3. If
    automated scanning tools are used to perform these audits, BSC should ensure that the tools
    have the appropriate system privileges to perform a thorough scan.

    BSC Response:

    “BSC agrees with this recommendation. By                     , BSC will enhance the
    routine audits of all of our servers and            to ensure they are utilizing
    appropriate configuration standards and that the tools used for the configuration scanning
    have appropriate privileges to perform the scans.”




                                                                      11 	                           Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                                       APPENDIX



November 18, 2016
                                                                                                         Federal Employee Program
                                                                                                         1310 G Street, N.W.
Chief, Information Systems Audit Group                                                                   Washington, D.C. 20005
                                                                                                         202.942.1000
U.S. Office of Personnel Management (OPM)
                                                                                                         Fax 202.942.1125
1900 E Street, Room 6400
Washington, D.C. 20415-1100

Reference:                          OPM DRAFT IT AUDIT REPORT
                     Blue Shield of California (BSC) Follow-up
                     Audit Report Number 1A-10-67-16-040
                     (Dated September 16, 2016)

The following represents the Plan’s response as it relates to the recommendations included in the draft
report.

A. Network Security

1. Vulnerability Management
    Recommendation 1

    We recommend that BSC implement a comprehensive vulnerability management program that
    includes routine credentialed vulnerability scans against all servers.

    Plan Response

    BSC agrees with this recommendation. BSC worked on the implementation of credentialed
    vulnerability scanning after the OIG completed their on-site and completed the implementation prior to
    the issuance of the draft report.

B. Configuration Management

2. System Lifecycle Management

    Recommendation 2

    We recommend that BSC decommission all unsupported operating systems in its environment, and
    that it update its policies and procedures to include additional controls ensuring that software is
    phased out before its end-of-life date.

    Plan Response

    BSC agrees with this recommendation. BSC has been addressing the decommissioning of end-of-life
                                                                                                     Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
    systems. BSC has identified the remaining operating systems which are end-of-life and action plans
    to retire them are being finalized. Action plans for these systems and any necessary associated
    security exception documentation will be completed by                   . Additionally, by
          , BSC will also enhance our processes to ensure software is phased out before its end-of-life
    date.

3. Configuration Standards

    Recommendation 3

    We recommend BSC formally document and approve a set of configuration standards for each
    operating platform in its network environment, and that the settings reflect the most restrictive mode
    consistent with the operational requirements. If BSC leverages existing configuration standards (e.g.,
    CIS benchmarks) as a guide, then BSC’s standards should document the deviations and exceptions
    required for its unique technical environment.

    Plan Response

    BSC agrees with this recommendation. BSC has defined, risk-based configuration standards for
    security for hardening for each operating platform in our network environment. By              ,
    BSC will update our hardening framework to ensure that our configuration standards are refreshed as
    new/updated CIS Benchmarks are published.

4. Compliance Auditing

    Recommendation 4
    We recommend BSC routinely audit all of its servers and                     against the appropriate
    configuration standards. If automated scanning tools are used to perform these audits, BSC should
    ensure that the tools have the appropriate system privileges to perform a thorough scan.

    Plan Response

    BSC agrees with this recommendation. By                        , BSC will enhance the routine audits of
    all of our servers and              to ensure they are utilizing appropriate configuration standards
    and that the tools used for the configuration scanning have appropriate privileges to perform the
    scans.


We appreciate the opportunity to provide our response to each of the recommendations in this report and
request that our comments be included in their entirety and are made a part of the Final Audit Report. If
you have any questions, please contact me at                   or          at                  .

Sincerely, 




            , CISA
Managing Director, FEP Program Assurance 

                                                                                                    Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
 
cc:                                                                     , FEP
                                                            , FEP




                                                                                                    Report No. 1A-10-67-16-040
This report is non-public and should not be further released unless authorized by the OIG, because it may contain confidential and/or proprietary
                information that may be protected by the Trade Secrets Act, 18 U.S.C. § 1905, or the Privacy Act, 5 U.S.C. § 552a.
                                                                                                                  



                               Report Fraud, Waste, and
                                   Mismanagement 

                                          Fraud, waste, and mismanagement in
                                       Government concerns everyone: Office of
                                           the Inspector General staff, agency
                                        employees, and the general public. We
                                      actively solicit allegations of any inefficient
                                            and wasteful practices, fraud, and
                                       mismanagement related to OPM programs
                                      and operations. You can report allegations
                                                  to us in several ways:


                By Internet:               http://www.opm.gov/our-inspector-general/hotline-to-
                                           report-fraud-waste-or-abuse


                 By Phone:                 Toll Free Number:                               (877) 499-7295
                                           Washington Metro Area:                          (202) 606-2423


                   By Mail:                Office of the Inspector General
                                           U.S. Office of Personnel Management
                                           1900 E Street, NW
                                           Room 6400
                                           Washington, DC 20415-1100
             
                                                                                                                  

                                                            -- CAUTION --

This report has been distributed to Federal officials who are responsible for the administration of the subject program. This non-public
version may contain confidential and/or proprietary information, including information protected by the Trade Secrets Act, 18 U.S.C. §
    1905, and the Privacy Act, 5 U.S.C. § 552a. Therefore, while a redacted version of this report is available under the Freedom of
 Information Act and made publicly available on the OIG webpage (http://www.opm.gov/our-inspector-general), this non-public version
                                      should not be further released unless authorized by the OIG.