We performed an audit of the Tennessee Valley Authority’s (TVA) management of privileged accounts. Our objective was to determine if TVA's management of privileged accounts is following TVA policy and best practices. A privileged user has an account that is authorized for the performance of security-related functions that ordinary users cannot perform. Privileged account management can be defined as managing and logging account and data access by privileged users.In summary, we found several controls of TVA’s privileged account management to be generally effective, including (1) an accurate inventory of privileged network device accounts, (2) appropriate segregation of duties, (3) appropriate account lifecycle management for most privileged users, and (4) monitoring of privileged accounts. However, we also found (1) improper usage of primary user accounts with privileged access, (2) one account with inappropriate privileged access, and (3) several gaps in TVA’s Standard Programs and Processes when compared to best practices.
Report File
Date Issued
Submitting OIG
Tennessee Valley Authority OIG
Other Participating OIGs
Tennessee Valley Authority OIG
Agencies Reviewed/Investigated
Tennessee Valley Authority
Report Number
2021-15777
Report Description
Report Type
Audit
Agency Wide
Yes
Number of Recommendations
3
Questioned Costs
$0
Funds for Better Use
$0