Establishing the level of acceptable risk is the responsibility of:

A.
quality assurance management.

B.
senior business management.

C.
the chief information officer.

D.
the chief security officer.

Explanation:

Senior management should establish the acceptable risk level, since they have the ultimate or
final responsibility for the effective and efficient operation of the organization. Choices A, C and D
should act as advisors to senior management in determining an acceptable risk level.