Area Access Manager

The OIG audited the Area Access Manager (AAM) application to determine the adequacy of: (1) data processing and application controls to ensure data integrity and reliability, (2) logical security controls to ensure only authorized access to system resources and protection of sensitive information, and (3) automated controls for granting physical access to sensitive TVA locations. In summary, we determined logical security controls were generally operating effectively and controls around granting physical access to sensitive TVA locations were operating in accordance with TVA policy. However, we found: (1) electronic copies of completed TVA form 15589, TVA Facility Access Request, which included the requester's social security number, were not stored encrypted, as required by TVA Standard Programs and Processes; (2) the level of access for three system administrators appeared to be greater than what was needed to perform their jobs; and (3) documentation of periodic reviews of the AAM was not maintained. (Note: We found AAM performs limited data processing and does not update any other systems. Therefore, we did not test data processing and application controls.) TVA management (1) corrected the system administrators' level of access during the audit, (2) agreed with our recommendations to secure the electronic copies of completed TVA form 15589 and to maintain documentation of periodic reviews, and (3) has begun or is planning to take action to implement the recommendations. Summary Only