According to the CRISC Review Manual1, access controls are the policies, procedures, practices, and technologies that are designed and implemented to prevent unauthorized or inappropriate access to IT resources and data. Access controls are essential for ensuring the confidentiality, integrity, and availability of data, especially personally identifiable information (Pll), which is any information that can be used to identify, locate, or contact an individual. Insufficient access controls are the greatest concern related to data privacy when implementing an Internet of Things (loT) solution that collects Pll, as they can expose the data to various risks and threats, such as data leakage, theft, loss, corruption, manipulation, or misuse. Insufficient access controls can also cause legal, regulatory, ethical, or reputational issues for the organization, if the data privacy rights and expectations of the individuals are violated or compromised. References = CRISC Review Manual1, page 240, 253.

The first thing that should be done from a governance perspective to secure the information assets of a newly incorporated enterprise is to establish an inventory of information assets. An inventory of information assets is a document that lists and categorizes all the information assets that the organization owns, uses, or manages, such as data, documents, systems, applications, and devices. An inventory of information assets helps to identify and classify the information assets based on their value, sensitivity, and criticality, and to determine the appropriate level of protection and control for each asset. An inventory of information assets also helps to support the development and implementation of other information security activities, such as risk assessment, policy formulation, awareness training, and incident response. The other options are not the first thing that should be done, although they may be important steps or components of the information security governance.
Defining information retention requirements and policies, providing information security awareness training, and establishing security management processes and procedures are all activities that can help to secure the information assets, but they require the prior knowledge and understanding of the information assets. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.1.1, page 3-3.

A risk register is a document that records and tracks the information and status of the identified risks and their responses. It includes the risk description, category, source, cause, impact, probability, priority, response, owner, action plan, status, etc.
A risk register update is a change or modification to the information or status of the risks and their responses in the risk register. It may be triggered by the occurrence or resolution of a risk event, the identification or evaluation of a new or emerging risk, the implementation or completion of a risk response, the monitoring or review of the risk performance, etc.
The most important risk register update for senior management to review is avoiding a risk that was previously accepted, which means that the organization has decided to eliminate or withdraw from the risk exposure or activity that may cause the risk, instead of tolerating or retaining the risk as before. This may indicate a significant change in the organization's risk appetite, strategy, objectives, or environment, and it may have a major impact on the organization's performance and value.
The other options are not the most important risk register updates for senior management to review, because they do not indicate a significant change or impact on the organization's risk profile or performance.
Extending the date of a future action plan by two months means that the organization has postponed the implementation or completion of the planned actions or measures to address the risk, due to some reasons or constraints. This may indicate a delay or deviation from the expected or desired risk outcome, but it may not have a major impact on the organization's performance and value, unless the risk is very urgent or critical.
Retiring a risk scenario no longer used means that the organization has removed or discarded the risk scenario that is no longer relevant or applicable to the organization's objectives or operations, due to some changes or developments. This may indicate a reduction or improvement in the organization's risk exposure or level, but it may not have a major impact on the organization's performance and value, unless the risk scenario was very significant or influential.
Changing a risk owner means that the organization has assigned or transferred the responsibility and accountability for the risk and its response to a different person or role, due to some reasons or circumstances.
This may indicate a change or improvement in the organization's risk governance or culture, but it may not have a major impact on the organization's performance and value, unless the risk owner was very ineffective or inappropriate. References = ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-
59, 62-63
ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 160 CRISC Practice Quiz and Exam Prep

The second line of defense provides oversight to ensure risks and controls are effectively managed. This includes compliance, risk management policies, and performance monitoring, aligning withRisk Governanceframeworks and enhancing the organization's risk resilience.

The control evaluation phase of a risk assessment is the phase where the risk practitioner evaluates the effectiveness and efficiency of the existing or planned controls that mitigate the identified risks. Controls are the actions or measures that reduce the likelihood or impact of the risks to an acceptable level. The control evaluation phase involves testing, reviewing, and auditing the controls, and identifying any gaps or weaknesses that need to be addressed. If the control evaluation phase reveals that multiple controls are ineffective, the risk practitioner's first course of action should be to determine the root cause of the control failures. The root cause is the underlying or fundamental reason that leads to the problem or issue, such as the controlfailure. By determining the root cause of the control failures, the risk practitioner can understand why the controls are not working as intended, and what factors or variables are influencing the control performance. This will help the risk practitioner to identify and implement the most appropriate and effective risk response strategy and actions, such as recommending risk remediation, comparing the residual risk, or escalating the control failures. The other options are not the first course of action, as they involve different steps or outcomes of the risk management process:
Recommend risk remediation of the ineffective controls means that the risk practitioner suggests the actions or measures that can improve or restore the effectiveness of the controls, such as by modifying, replacing, or adding the controls. This may be a useful step in the risk management process, but it is not the first course of action, as it may not address the root cause of the control failures, or may not be feasible or efficient for the enterprise's needs.
Compare the residual risk to the current risk appetite means that the risk practitioner evaluates the level of risk that remains after considering the existing or planned controls, and compares it with the amount and type of risk that the enterprise is willing to accept in pursuit of its objectives. This may be a helpful step in the risk management process, but it is not the first course of action, as it may not reflect the true or current level of risk exposure, or may not account for the uncertainties or complexities of the risks or the controls.
Escalate the control failures to senior management means that the risk practitioner communicates the control failures to the senior leaders of the enterprise, who oversee the enterprise-wide risk management program, and provide guidance and direction to the risk owners and practitioners. This may be a necessary step in the risk management process, but it is not the first course of action, as it may not provide sufficient or timely information or action to address the control failures, or may not reflect the urgency or priority of the control failures. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section
2.3.3.1, pp. 62-63.