Submitting OIG:
Report Description:
We performed an audit of the Tennessee Valley Authority’s (TVA) management of privileged accounts. Our objective was to determine if TVA's management of privileged accounts is following TVA policy and best practices. A privileged user has an account that is authorized for the performance of security-related functions that ordinary users cannot perform. Privileged account management can be defined as managing and logging account and data access by privileged users.
In summary, we found several controls of TVA’s privileged account management to be generally effective, including (1) an accurate inventory of privileged network device accounts, (2) appropriate segregation of duties, (3) appropriate account lifecycle management for most privileged users, and (4) monitoring of privileged accounts. However, we also found (1) improper usage of primary user accounts with privileged access, (2) one account with inappropriate privileged access, and (3) several gaps in TVA’s Standard Programs and Processes when compared to best practices.
Date Issued:
Wednesday, September 22, 2021
Agency Reviewed / Investigated:
Submitting OIG-Specific Report Number:
2021-15777
Location(s):
Agency-Wide
Type of Report:
Audit
Questioned Costs:
$0
Funds for Better Use:
$0
Number of Recommendations:
3
View Document:
Attachment | Size |
---|---|
2021-15777.pdf | 703.03 KB |