Continuous data backup controls are the best recommendation to further reduce the impact of ransomware attacks, as they enable the organization to restore the data that has been encrypted or deleted by the ransomware without paying the ransom or losing the data. Continuous data backup controls ensure that the data is regularly and automatically backed up to a secure and separate location, and that the backup data is tested and verified for integrity and availability. Two-factor authentication, encryption for data at rest, and encryption for data in motion are not the best recommendations to further reduce the impact of ransomware attacks, as they do not address the recovery of the data that has been compromised by the ransomware. These controls may help to prevent or mitigate ransomware attacks, butnot to reduce their impact. References = CRISC by Isaca Actual Free Exam Q&As, question 207; CRISC: Certified in Risk & Information Systems Control Sample Questions, question 207.

A benchmark analysis is a process of comparing the organization's performance, practices, and processes with those of other organizations in the same industry or sector. A benchmark analysis can provide the most useful information when determining the frequency of risk assessments, because it can help the organization to identify the best practices, standards, and expectations for security risk management in its industry. A benchmark analysis can also help the organization to assess its current level of maturity, capability, and compliance in relation to security risk management, and to determine the gaps and areas for improvement. By conducting a benchmark analysis, the organization can establish a realistic and appropriate frequency of risk assessments that aligns with its industry norms and its own risk profile. The other options are not as useful as a benchmark analysis, because they do not provide a comprehensive and relevant view of the security risk management landscape, but rather focus on specific or partial aspects of the organization's situation. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.2, page
18.

Internet of Things (IoT) is an emerging technology that refers to the network of devices, such as cameras, sensors, appliances, or vehicles, that can communicate and exchange data via the internet. IoT is frequently used for botnet distributed denial of service (DDoS) attacks, which are cyberattacks that aim to disrupt or disable a target's online services by overwhelming them with traffic from multiple sources. IoT devices are often unsecured, unpatched, or misconfigured, which makes them vulnerable to being infected by malware and controlled by attackers. Attackers can use IoT devices to create large and powerful botnets that can launch DDoS attacks against various targets, such as websites, servers, or networks. According to the CRISC Review Manual 2022, IoT is one of the key emerging technologies that pose new IT risks, including DDoS attacks1.
According to the CRISC Review Questions, Answers & Explanations Manual 2022, IoT is the correct answer to this question2. According to the web search results, IoT devices are commonly used for botnet DDoS attacks, such as the Mirai botnet, the Emotet botnet, and the BoT-IoT dataset345.

The risk practitioner's best course of action when an organization has been made aware of a newly discovered critical vulnerability in a regulatory reporting system is to perform an impact assessment, as it involves estimating the potential consequences or damage that the vulnerability may cause to the system and its related business processes, and prioritizing the risk response accordingly. The other options are not the best courses of action, as they may not address the urgency or severity of the vulnerability, or may require the prior knowledge of the impact or risk level, respectively. References = CRISC Review Manual, 7th Edition, page
100.