U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Privileged Account Management

Report Information

Date Issued
Report Number
2021-15777
Report Type
Audit
Description
We performed an audit of the Tennessee Valley Authority’s (TVA) management of privileged accounts. Our objective was to determine if TVA's management of privileged accounts is following TVA policy and best practices. A privileged user has an account that is authorized for the performance of security-related functions that ordinary users cannot perform. Privileged account management can be defined as managing and logging account and data access by privileged users.In summary, we found several controls of TVA’s privileged account management to be generally effective, including (1) an accurate inventory of privileged network device accounts, (2) appropriate segregation of duties, (3) appropriate account lifecycle management for most privileged users, and (4) monitoring of privileged accounts. However, we also found (1) improper usage of primary user accounts with privileged access, (2) one account with inappropriate privileged access, and (3) several gaps in TVA’s Standard Programs and Processes when compared to best practices.
Joint Report
Yes
Participating OIG
Tennessee Valley Authority OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, review gaps in best practices and incorporate into TVA policies accordingly.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, implement an additional periodic review by T&I management of the privileged account inventory and assigned access.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, take action to ensure primary accounts are prohibited from having privileged access as required in TVA policy.