Establishing the level of acceptable risk is the responsibility of:
quality assurance management.
senior business management.
the chief information officer.
the chief security officer.
Senior management should establish the acceptable risk level, since they have the ultimate or final
responsibility for the effective and efficient operation of the organization. Choices A, C and D should
act as advisors to senior management in determining an acceptable risk level.