The first course of action when a data breach has occurred due to malware is to quarantine the impacted systems. This means isolating the infected systems from the rest of the network and preventing any further communication or data transfer with them. This can help contain the spread of the malware, limit the damage and exposure of sensitive data, and facilitate the investigation and remediation of the incident. Quarantining the impacted systems can also help preserve the evidence and logs that may be needed for forensic analysis or legal action.
References:
* [1] provides a guide on how to respond to a data breach caused by malware and recommends quarantining the impacted systems as the first step.
* [2] explains what is malware and how it can cause data breaches, and suggests quarantining the infected devices as a best practice.
* [3] describes the steps involved in quarantining a system infected by malware and the benefits of doing so.

The best way to prevent the misconfiguration from recurring is to grant user access using a role-based model. A role-based access control (RBAC) model is an access control method that assigns permissions to end-users based on their role within the organization1. RBAC provides fine-grained control, offering a simple, manageable approach to access management that is less error-prone than individually assigning permissions1. RBAC also enforces the principle of least privilege, which means that users only have the minimum access required to perform their tasks2.
A role-based model can help prevent segregation of duties (SoD) issues in an ERP system by restricting user access to conflicting activities within the application. SoD is a central issue for enterprises to ensure compliance with laws and regulations, and to reduce the risk of fraud and unauthorized transactions3. SoD requires that no single individual or group of individuals should have control over two or more parts of a process or an asset3. For example, a user who can create and approve purchase orders should not be able to process payments or modify vendor records.
By using a role-based model, user access provisioning is based on the needs of a group (e.g., accounting department) based on common responsibilities and needs1. This means each role has a given set of permissions, and individuals can be assigned to one or more roles. For example, you may designate a user as an accounts payable clerk, an accounts receivable clerk, or a financial manager, and limit access to specific resources or tasks. The user-role and role-permissions relationships make it easy to perform role assignment because individual users no longer have unique access rights, rather they have privileges that conform to the permissions assigned to their specific role or job function1.
The other options are not the best way to prevent the misconfiguration from recurring. Monitoring access rights on a regular basis (option A) is a detective control that can help identify SoD issues after they occur, but it does not prevent them from happening in the first place. Referencing a standard user-access matrix (option B) is a tool that can help document and analyze user access rights, but it does not ensure that the user access rights are configured correctly or consistently. Correcting the segregation of duties conflicts (option D) is a corrective action that can resolve SoD issues once they are detected, but it does not prevent them from happening again.
References: 3: Implementing Segregation of Duties: A Practical Experience Based on Best Practices 1: What is Role-Based Access Control (RBAC)? Examples, Benefits, and More 2: What is Azure role-based access control (Azure RBAC)?