Establishing the level of acceptable risk is the responsibility of:

A. quality assurance management.

B. senior business management.

C. the chief information officer.

D. the chief security officer.

Explanation:

Senior management should establish the acceptable risk level, since they have the ultimate or final responsibility for the effective and efficient operation of the organization. Choices A, C and D should act as advisors to senior management in determining an acceptable risk level.