We found several areas of the privacy program to be generally effective, including (1) completion of privacy impact assessments, (2) privacy related training taken by network users, (3) privacy considerations during the authority to operate process, (4) system categorization, (5) privacy incident response, (6) privacy-related contract terms and conditions, and (7) desktop and laptop sanitization. However, we identified seven issues that should be addressed by TVA management to further increase the effectiveness of the privacy program. Specifically, we found: 1. Unsecured electronic restricted personally identifiable information on SharePoint and shared network drives. 2. Unsecured hard copy restricted personally identifiable information. 3. No end user notifications for e-mail security violations. 4. No technical controls for removable media. 5. We could not confirm that all desktops and laptops utilize encryption. 6. Privacy Act notices on TVA forms did not include all required elements. 7. Not all external Web sites included privacy policies. (Note: Prior to completion of our audit, TVA Technology and Innovation took action to address the external Web sites that were missing required privacy policies.) We also found gaps between TVA’s policies and procedures and applicable federal privacy regulations and guidance.
Monday, September 20, 2021
Agency Reviewed / Investigated:
Submitting OIG-Specific Report Number:
Type of Report:
Funds for Better Use:
Number of Recommendations: