What Did We Find?

Our audit of the IT security controls of APWUHP determined that:

• APWUHP has established an adequate security management program. However, there is not a policy requiring role-based training for IT security staff.

• APWUHP has implemented a variety of physical and logical access controls. However, we noted several areas of concern related to data center physical access controls, physical and logical access reviews, and privileged user access.

• APWUHP has implemented an incident response and network security program. However, we noted several areas of concern related to firewall management, network access controls, and incident response testing.

• APWUHP has developed formal configuration management policies and procedures. However, APWUHP does not have documented security configuration standards, and does not routinely review systems for configuration compliance.

• APWUHP has developed and documented a formal business continuity and disaster recovery plan that contains the elements suggested by relevant guidance and publications.

• APWUHP has implemented many controls in its claims adjudication process to ensure that FEHBP claims are processed accurately. However, physical claims storage should be improved.

The OPM Office of Inspector General issued an audit report on the American Postal Workers Union Health Plan. They made 18 recommendations to improve security. The APWU Health Plan agreed with 17 recommendations and disagreed with only the last one regarding paper claims:

Source: U.S. OFFICE OF PERSONNEL MANAGEMENT, OFFICE OF THE INSPECTOR GENERAL, OFFICE OF AUDITS