Part A

Requirement 1
In the context of the Optus data breach, two components of the COSO-ERM framework that
are particularly relevant are Control Environment and Information and Communication (Lee
& Lee, 2021).

The control Environment component sets the tone for the organization’s risk management
and establishes a foundation for all other components. It encompasses the integrity, ethical
values, and competence of the people within the organization (Yiran et al., 2019). To enhance
Optus’s control environment and mitigate cybersecurity risks, the following measures can be
implemented:

i. Optus should foster a culture of cybersecurity awareness and make it a top priority.
Senior management should demonstrate a strong commitment to data security and
establish policies that promote a proactive approach to risk management.
ii. To teach staff members about data safety procedures, such as identifying and
reporting possible cyberthreats, Optus should offer thorough training programs (Yiran
et al., 2019). Employees may remain cautious against phishing efforts and other forms
of social engineering by receiving regular information on developing dangers and
awareness initiatives.

The information and Communication component focuses on the identification, capture,

and exchange of information relevant to managing risks. It guarantees efficient information
flow across the company, facilitating prompt decision-making and suitable action (Lee &
Lee, 2021). The following actions may be taken to improve Optus's cybersecurity-related
information and communication processes:

i. Optus have to carry out frequent risk evaluations in order to recognize and rank any
cybersecurity threats. This entails assessing the threat landscape, keeping an eye on
market developments, and remaining up to date on newly discovered weaknesses and
attack methods (Saleem et al., 2019).
ii. In the case of a data breach or cyber-attack, Optus should have a thorough incident
response strategy that details what should be done.

1
Requirement 2
1) Inadequate implementation and enforcement of frameworks

Notwithstanding established frameworks and regulations, their effectiveness heavily relies on

the implementation and enforcement of policies and controls. It is possible that Optus had
robust data protection frameworks on paper but failed to effectively implement and enforce
them throughout the organization. This could be due to various reasons, such as insufficient
resources allocated to cybersecurity, lack of proper training and awareness among employees,
or inadequate oversight and monitoring of security measures (Al-Matari et al., 2021).
Additionally, if there was a lack of accountability or proper governance mechanisms to
ensure compliance, internal controls might not have been effectively implemented or
consistently followed, leaving vulnerabilities that could be exploited by cyber attackers.

2) The evolving nature of cybersecurity threats

Cybersecurity threats are constantly evolving, and attackers continually find new ways to
exploit vulnerabilities. Organizations like Optus must stay updated and adaptive to emerging
threats by regularly assessing and reassessing their risk management strategies. It is possible
that Optus’s risk management frameworks and controls were designed based on previous
threats and did not adequately address emerging risks. As cyber threats become more
sophisticated, organizations need to continually invest in research, threat intelligence, and
proactive measures to stay ahead of potential attacks (Dikokoe, 2021). Failure to adapt to
evolving threats can leave organizations vulnerable, even if they have implemented adequate
controls based on earlier risk assessments.

In addition to the above reasons, there might be potential gaps in internal controls and audit
processes that contributed to the data breach. These gaps might be caused by inadequate
incident response plans, lax access restrictions, poor monitoring and detection systems, or
insufficient separation of roles.

2
 References
Al-Matari, O. M., Helal, I. M., Mazen, S. A., & Elhennawy, S. (2021). Integrated framework
for cybersecurity auditing. Information Security Journal: A Global
Perspective, 30(4), 189-204.

Dikokoe, T. (2021). Role of Internal Audit in Managing Cyber Security Risks. University of
Johannesburg (South Africa).

Lee, H., & Lee, H. (2021). COSO ERM Framework. Risk Management: Fundamentals,
Theory, and Practice in Asia, 35-50.

Saleem, K. S. A., Zraqat, O. M., & Okour, S. M. (2019). The effect of internal audit quality
(IAQ) on enterprise risk management (ERM) following the COSO
framework. European Journal of Scientific Research, 152(2), 177-188.

Yiran, H. U. A. N. G., & Liqin, L. I. U. (2019). Research on Risk Management in the Internal
Process of College Procurement under the COSO-ERM Framework. Research &
Exploration in Laboratory, 38(11).