[Verse 1] The board reviews compliance once a quarter But who exactly checks each vendor's gate? "Users shall be careful" sounds like water Slipping through your fingers while you wait No proof of training, no audit trail When controls are foggy, systems fail [Chorus] Who does what, when does it happen How do we prove it's really done? Three deadly sins will leave you grappling Unverifiable, unmeasured, no one Write it clear, make it stick Who, what, when, and how we tick [Verse 2] "Systems shall be adequately shielded" Adequate to whom, and measured how? Without metrics, standards never yielded Benchmarks that auditors disallow Eighty percent uptime or ninety-nine? Draw the borders, define the line [Chorus] Who does what, when does it happen How do we prove it's really done? Three deadly sins will leave you grappling Unverifiable, unmeasured, no one Write it clear, make it stick Who, what, when, and how we tick [Bridge] Security measures shall be maintained But whose signature's on that decree? Ghost responsibilities, unclaimed Accountability's missing key Name the owner, set the clock Evidence that stands like rock [Verse 3] Change the language, sharpen focus now "IT manager validates credentials weekly" "Penetration testing twice per year, and how?" "Document reviews completed completely" Every control answering four questions clean Measurable, owned, and provably seen [Final Chorus] Who does what, when does it happen How do we prove it's really done? Three deadly sins won't leave you grappling Verified, measured, someone owns Crystal controls that truly stick Who, what, when, and how we tick
← 2 Language Precision | 4 Template Control Statement Patterns →