Review of TVA's Process for Handling Lost or Stolen Computers

We initiated a special project to determine if (1) TVA's policies, procedures, and practices for handling lost or stolen computer equipment were adequate; (2) those policies, procedures, and practices were followed; and (3) the lost or stolen computers contained sensitive or restricted information. We found:TVA's policies, practices, and procedures for maintaining an accurate inventory of computer equipment were not adequate. Since the August 2004 implementation of the HP Service Desk (HPSD), which contains an inventory of TVA computers, TVA has been unable to track over 5,550 computers. The inability to adequately track, as well as the lack of encryption, on these computers increases the risk for the disclosure of sensitive or restricted information.The policies for handling/reporting stolen computers were not consistently followed. At least one of the stolen computers contained personally identifiable information-employee social security numbers. We have not been able to confirm whether the remaining stolen computers contained sensitive or restricted information, although we believe the risk is moderate.