Perform a Risk Assessment:
Immediate Action: The first step when discovering a non-compliant implementation is to understand the potential risks it poses to the organization. This involves identifying threats, vulnerabilities, and potential impacts of the non-fungible token (NFT) asset program.
Risk Identification and Evaluation: Assess the new program's impact on the organization's risk profile.
Determine if it introduces significant security, compliance, or operational risks.
Documentation and Reporting: Document the findings and present them to senior management along with recommendations for mitigation or further action.
Comparison with Other Options:
Report the Infraction: Reporting is necessary but should follow the risk assessment to provide a clear understanding of the implications and necessary mitigations.
Conduct Risk Awareness Training: Training is preventive and should be part of a long-term strategy, not the immediate response to a specific incident.
Discontinue the Process: Discontinuing the process may be a necessary step after assessing the risk, but the assessment must come first to justify such an action.
Best Practices:
Comprehensive Risk Assessment: Ensure that the risk assessment covers all aspects, including financial, reputational, and regulatory risks.
Stakeholder Involvement: Involve relevant stakeholders in the assessment process to gather diverse perspectives and ensure a thorough evaluation.
Actionable Recommendations: Provide clear, actionable recommendations based on the risk assessment findings.
References:
CRISC Review Manual: Discusses the importance of performing risk assessments when new systems or processes are implemented without following established procedures.
ISACA Standards: Emphasize the need for a systematic approach to identifying and assessing risks introduced by new initiatives or changes within the organization.

Risk scenario development is a process that involves identifying and describing the potential risk events that can affect an organization's objectives and operations. Risk scenario development requires the input and participation of various stakeholders, such as the management, the staff, the customers, the suppliers, the regulators, and the competitors. The primary benefit of stakeholder involvement in risk scenario development is that it increases the awareness of emerging business threats, meaning that it helps to identify and anticipate the new or changing sources and impacts of risk that may not be captured by the existing risk assessment methods or tools. Stakeholder involvement can also help to improve the quality and completeness of the risk scenarios, as well as to enhance the communication and collaboration among the stakeholders regarding the risk management process. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.2.1.1, p. 66-67

The most effective key risk indicator (KRI) for monitoring risk related to a bring your own device (BYOD) program is the number of incidents originating from BYOD devices, as it directly measures the impact and frequency of the potential threats and vulnerabilities associated with the use of personal devices for accessing company data and systems. A BYOD program can pose various risks to an organization, such as data loss or breach, malware infection, unauthorized access, compliance violation, or device theft or loss12. The number of incidents originating from BYOD devices can help to identify and quantify these risks, and to trigger appropriate risk response actions when the incidents exceed the acceptable thresholds. The other options are not the most effective KRIs, as they do not directly measure the risk level or impact of the BYOD program.
The number of users who have signed a BYOD acceptable use policy may indicate the awareness and compliance of the users, but not the actual risk exposure or mitigation. The budget allocated to the BYOD program security controls may indicate the investment and efficiency of the risk management, but not the effectiveness or necessity. The number of devices enrolled in the BYOD program may indicate the scope and scale of the risk, but not the severity or likelihood. References = Key Risk Indicators: A Practical Guide; KRI Framework for Operational Risk Management

The best way to mitigate the risk to IT infrastructure availability is to establish a disaster recovery plan (DRP), because a DRP is a document that defines the procedures and resources needed to restore the IT infrastructure and resume the critical business functions in the event of a disaster or disruption. A DRP helps to minimize the downtime, data loss, and financial impact of a disaster, and ensures the continuity of operations and services. The other options are not the best ways to mitigate the risk to IT infrastructure availability, although they may also be helpful in supporting the DRP. Establishing recovery time objectives (RTOs), maintaining a current list of staff contact details, and maintaining a risk register are examples of planning or monitoring activities that aim to define the requirements, roles, and responsibilities for the disaster recovery process, but they do not address the actual implementation or execution of the DRP. References = CRISC: Certified in Risk & Information Systems Control Sample Questions