Who should have access to TARP reports?

• A. All employees.
• B. Only those with a legitimate need to know.
• C. Publicly posted for transparency.
• D. Only executives.

Answer: (B)

Access to TARP reports should be restricted to individuals with a legitimate need to know. This protects sensitive threat information and any personal data it may contain, reducing the risk of misuse, leakage, or misinterpretation. In practice, access is granted based on role and responsibility, following least-privilege and need-to-know principles, and is managed through formal policies and audits. Those who must handle reporting, investigation, compliance, or direct operational action may need to review the reports, while the broader workforce does not. Public posting or wide distribution would violate privacy and security requirements and could undermine the program. Limiting access to only executives would ignore practical needs for those who must act on the information at operational levels.