We performed an audit of the Tennessee Valley Authority’s (TVA) management of privileged accounts. Our objective was to determine if TVA's management of privileged accounts is following TVA policy and best practices. A privileged user has an account that is authorized for the performance of security-related functions that ordinary users cannot perform. Privileged account management can be defined as managing and logging account and data access by privileged users. In summary, we found several controls of TVA’s privileged account management to be generally effective, including (1) an accurate inventory of privileged network device accounts, (2) appropriate segregation of duties, (3) appropriate account lifecycle management for most privileged users, and (4) monitoring of privileged accounts. However, we also found (1) improper usage of primary user accounts with privileged access, (2) one account with inappropriate privileged access, and (3) several gaps in TVA’s Standard Programs and Processes when compared to best practices.
Wednesday, September 22, 2021
Agency Reviewed / Investigated:
Submitting OIG-Specific Report Number:
Type of Report:
Funds for Better Use:
Number of Recommendations: