Controls for Handling TVA Private Information - Cartus Corporation

The OIG audited the handling and processing of personally identifiable information (PII) provided to Cartus Corporation, a contractor for TVA. Our audit evaluated the (1) processes used to safeguard data transmitted from TVA to Cartus (2) handling, processing, and security of the data at Cartus, and (3) compliance with security-related contract terms. Generally, we found TVA controls for transmission of data to Cartus and its security controls for TVA data stored on its systems were effective in protecting the data. However, we identified control improvements that, if implemented, would strengthen Cartus' controls over data protection. Summary Only