Re: Define vulnerable
The answer would be both A & C.
It is very difficult to believe that the same Specifications Document was used for the 25 databases. The importance here being that they all deal with roughly the same subject but were probably developed with differing objectives, different budgets and most importantly different people.
It is therefore easy enough to conclude that they all have one or more fields which describe the "vulnerability", and that the levels of classification are probably different for each database - herein lies the problem.
What are the chances that everyone is using exactly the same criteria in order to classify "vulnerability", almost none.
Therefore during the consolidation process how are they going to consolidate the "vulnerability classification". You can't mix oranges and apples and produce "appanges" or "orapples."
If they keep all the varying classifications from all databases this will lead to mass confusion.
If they decide to adopt a new classifcation system then how will they make the decision as to classifcation that should be implemented, errors at this stage could have very serious consequences for the concerned individuals.
Mapping even "one" level of classification between 25 different systems is difficult. If there are, as you suggest, more than one level then the project will very likely become incoherent.
I would suggest that they analyse the 25 databases and possibly consolidate those that can easilly be consolidated and attempt to reduce the total number of systems down to maybe 6 systems.
These 6 systems could then possibly be updated, adapted so that they share a common reporting interface. This would remove some of the confusion from the end user point of view.
In the long term the 6 "might" eventually be able to consolidated into 1 system.
One step at a time........