The Office of the Inspector General performed an audit to determine if TVA’s security controls were appropriately configured to protect corporate Wi-Fi networks. Our scope was limited to Wi-Fi networks maintained by TVA’s Technology and Innovation organization. We determined TVA’s security controls related to overall architecture design and implementation were generally configured appropriately to protect corporate Wi Fi networks. However, we identified several areas that should be addressed to further improve the security of corporate Wi-Fi networks. Specifically, we identified:• Internal controls for specific types of attacks were ineffective.• Wireless software and hardware were unsupported by the manufacturer.• Data in transit (electronic transmission of information) was not properly secured.• Primary accounts improperly provided privileged user access.• Service account usage was not in accordance with TVA policy.• Baseline configuration management process was not designed or implemented properly.TVA management agreed with our recommendations.
Report File
Date Issued
Submitting OIG
Tennessee Valley Authority OIG
Other Participating OIGs
Tennessee Valley Authority OIG
Agencies Reviewed/Investigated
Tennessee Valley Authority
Report Number
2023-17434
Report Description
Report Type
Audit
Agency Wide
Yes
Number of Recommendations
7
Questioned Costs
$0
Funds for Better Use
$0
Open Recommendations
This report has 3 open recommendations.
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 2 | No | $0 | $0 | ||
| We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, implement the planned project to upgrade software and hardware to supported versions. | |||||
| 3 | No | $0 | $0 | ||
| We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, take action to remediate both instances of insecure protocols in use where technically and operationally possible. | |||||
| 7 | No | $0 | $0 | ||
| We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, implement baselines, baseline monitoring, and deviation risk tracking as required by TVA policy. | |||||
