IT Security Organizational Effectiveness

While IT Security has made strides in establishing the technology infrastructure, we found (1) IT Security lacks a business-level mechanism to provide cross-agency oversight, a strategic TVA-wide approach, and grounding in risk management; (2) coordination and communication with business units were not well defined and could be more effective with increased training, communication, and business unit involvement in security planning; (3) procedures were outdated and did not address issues for all business segments; and (4) performance management was substantially undefined. Management agreed with the recommendations and is taking corrective action. Summary Only