The OIG audited the Area Access Manager (AAM) application to determine the adequacy of: (1) data processing and application controls to ensure data integrity and reliability, (2) logical security controls to ensure only authorized access to system resources and protection of sensitive information, and (3) automated controls for granting physical access to sensitive TVA locations. In summary, we determined logical security controls were generally operating effectively and controls around granting physical access to sensitive TVA locations were operating in accordance with TVA policy. However, we found: (1) electronic copies of completed TVA form 15589, TVA Facility Access Request, which included the requester's social security number, were not stored encrypted, as required by TVA Standard Programs and Processes; (2) the level of access for three system administrators appeared to be greater than what was needed to perform their jobs; and (3) documentation of periodic reviews of the AAM was not maintained. (Note: We found AAM performs limited data processing and does not update any other systems. Therefore, we did not test data processing and application controls.) TVA management (1) corrected the system administrators' level of access during the audit, (2) agreed with our recommendations to secure the electronic copies of completed TVA form 15589 and to maintain documentation of periodic reviews, and (3) has begun or is planning to take action to implement the recommendations. Summary Only
| Report Date | Agency Reviewed / Investigated | Report Title | Type | Location | |
|---|---|---|---|---|---|
| Tennessee Valley Authority | Area Access Manager | Audit | Agency-Wide | View Report | |
| U.S. Postal Service | Benchmarking of Delivery Fleet Replacement Strategies | Review | Agency-Wide | View Report | |
| Department of the Interior | The Bureau of Safety and Environmental Enforcement, Incident Investigation Program | Inspection / Evaluation | Agency-Wide | View Report | |
| Department of Veterans Affairs | Combined Assessment Program Review of the G.V. (Sonny) Montgomery VA Medical Center, Jackson, Mississippi | Review |
|
View Report | |
| Department of Veterans Affairs | Combined Assessment Program Review of the Northport VA Medical Center, Northport, New York | Review |
|
View Report | |
| Nuclear Regulatory Commission | Evaluation of Involvement of Political Appointees in NRC’s FOIA Process | Inspection / Evaluation | Agency-Wide | View Report | |
| Department of Veterans Affairs | Administrative Investigation, Improper Use of Web-based Collaboration Technology, Office of Information and Technology | Investigation | Agency-Wide | View Report | |
| Department of Veterans Affairs | Review of Alleged Shredding of Claims-Related Evidence at the VA Regional Office Los Angeles, California | Audit |
|
View Report | |
| International Trade Commission | Freedom of Information Act Assessment | Other | Agency-Wide | View Report | |
| Railroad Retirement Board | Audit of the Internal Controls Over Obligations at the Railroad Retirement Board | Audit | Agency-Wide | View Report | |
