Review of Temporary Shares for Sensitive Information

We determined: Personally identifiable information (PII) and other sensitive information were not properly secured thus exposing the information to anyone with a TVA network ID;Temporary shares were being used to store non-business related information;TVA does not have a policy or guidance for management of temporary shares to address the proper use of the share (i.e., types of information that can be stored and the unsecured nature of the share), responsibilities of the users, and maintenance (i.e., maximum time frame for retention of files on the share); TVA Standard Programs and Processes (SPP) 12.9, Computer Security and Privacy Incident Response, which includes procedures for notifying TVA employees and their dependents, contractors, and retirees and their dependents when PII has potentially been compromised, has yet to be implemented; and Two business practice drafts (1) TVA Information Security Policy, which describes classification and protection of information, and (2) Acceptable Use of Information Resources (Rules of Behavior), which explicitly prohibits storage of non-TVA information on TVA servers, have yet to be implemented. TVA management agreed with the findings and has taken or is taking corrective action.