Acceptable Levels of Information Security Risk Determination

D.

Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the organization is willing to assume.

Legal counsel, the external auditors and security management are not in a position to make such a decision.

Determining acceptable levels of information security risk is a critical aspect of information security management. The right approach ensures that an organization can balance its operational needs with the risks of security breaches. To answer this question, we'll review each option and explain which one is the correct answer.

A. Legal Counsel Legal counsel typically advises on legal issues, including compliance with relevant regulations, data privacy, and data protection laws. Legal counsel may provide input into an organization's risk management strategy, but they may not have the expertise to fully understand the organization's unique security risks.

B. Security Management Security management is responsible for protecting an organization's information assets, including sensitive data and intellectual property. They are typically tasked with developing and implementing an information security risk management framework. As such, they are best placed to determine acceptable levels of information security risk.

C. External Auditors External auditors typically review an organization's financial statements and operations to ensure compliance with relevant regulations and standards. While they may identify information security risks, their primary focus is not on information security.

D. The Steering Committee The Steering Committee typically comprises senior executives from across the organization. It is responsible for overseeing and guiding the organization's strategic direction. While they may provide input into the organization's risk management strategy, they may not have the expertise to fully understand the organization's unique security risks.

Based on the above, the correct answer is B. Security Management. They are best placed to determine acceptable levels of information security risk, as they have the expertise to understand the organization's unique security risks and develop an appropriate risk management framework.