Tuesday, May 5, 2015

SPC 2015 - NIST Risk Rap

The Ohio State University has developed an impressive Information Risk Management program.  I plan to steal a lot of it.

I plan to rap about it too.  Oh, look.  There it is.

NIST Risk Rap

Do you wanna know how to manage risk?
Lemme rap a bit 'bout a thing called NIST.
Hundreds of pages, hundreds of rules.
Gonna be adopted by so many schools.

It comes from a Federal agency,
Makin' up the standards, all for free.
(Well, also bought through Federal taxes,
But never mind that, it's the least of fact-es.)

I'm talkin' about one: eight hundred five three.
A nice long list specifying what be.
Giving you the standards, giving you controls.
Ammo for fighting your faculty trolls.

But don't stop there, gotta take the next step:
Architect it out like an Imhotep.
Makin' up the metrics, makin' up the forms,
Leading stake holders, embracing new norms.

Assessments help, but keep them scoped small,
Otherwise the hill just becomes too tall.
Create yourself a process sustainable.
Keep your change goals all attainable.

If you build it right, risk will drop like beats.
Risk management: a most awesome of feats.


1 comment:

  1. Just went through a NIST Risk assessment...so much fun!!!