Acceptable levels of information security risk should be determined by:
Answer options:
A. legal counsel.
B. security management.
C. external auditors.
D. die steering committee.
Answer correct:
D
Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume. Legal counsel, the external auditors and security management are not in a position to make such a decision.