Cyber Security Patch Management of High Risk Desktops and Laptops

The OIG audited the overall effectiveness of the Tennessee Valley Authority's (TVA) patch management process for high-risk, end-user desktops and laptops as they are most vulnerable to spear phishing, a very common tactic used in today's environment to infiltrate computer networks and spread malware. We found (1) TVA is at potential risk for compromise as the patching status was unknown for 12 percent of desktops and laptops in our sample due to desktops and laptops not being managed in patch management tools; (2) 1 of 162 desktops and laptops tested had a missing patch that could lead to remote code execution that has a public exploit available; and (3) the patching process for Mac desktops and laptops is not formally documented. TVA management agreed with our findings and recommendations.