The correct answer isCbecauseunmitigated vulnerabilitiesare the most important information to keep confidential. Revealing known weaknesses that have not yet been addressed could directly increase the likelihood of exploitation by insiders, contractors, consultants, or external parties who gain access to that information.
The other options are less sensitive in this context:
A. Key risk indicator (KRI) threshold methodologyis sensitive governance information, but it is not as directly exploitable as known vulnerabilities.
B. Names of key cloud providersmay be known or inferable and are not as dangerous as exposing actual weaknesses.
D. Corporate security policiesare often shared broadly to support compliance and awareness, and employees or contractors typically need to know them.
Exact Extracts supporting the answer:
“The MOST critical observation when reviewing system configuration files for a critical enterprise application system is access to configuration files is not restricted.”
“The MOST concern to the risk practitioner regarding applications running in production is backdoors.”
“A lack of adequate controls represents a vulnerability exposing sensitive processes and/or data to potential malicious damage or unauthorized access.”
“The MOST serious vulnerability allowing attackers to access data through a web application is when validation checks are missing in data input fields enabling attacks like SQL injection.”
These extracts support that vulnerabilities are highly sensitive because they expose the organization to direct attack. Therefore,unmitigated vulnerabilitiesare the most important to keep confidential.
===========
