Say What You Do: Building a framework of IT controls, policies, standards, and procedures

Posted on by Ben Rothke

Say What You Do: Building a framework of IT controls, policies, standards, and procedures is an excellent book on how to build a compliance framework, which is the focus of this work. While many other books have claimed to assist the reader in that task, most are nothing more than tedious collections of checklists and tables that have little practical value. 

The authors take a different approach here, laying out a true structure upon which to build a compliance effort. In more than 400 densely packed pages, they walk the reader through the steps needed to achieve IT compliance. 

The book is an outgrowth of the Unified Compliance Framework (UCF) project, an initiative to map IT controls across international regulations, standards, and best practices. The UCF seeks to accomplish its goal by harmonizing terms and controls against the backdrop of a master hierarchical list. Many readers, and their employers, will likely be surprised how many regulations they have never heard of yet are obligated to follow. 

The book is unique in that the authors have taken a high-level approach to compliance, focusing on the commonalities among the various requirements. Thus, the UCF and Say What You Do empower organizations to deal more practically with the myriad regulations and standards they are required to follow. The book is valuable for any practioner serious about gaining control over a compliance program.

Ben Rothke

Senior Information Security Manager, Tapad


risk management legislation privacy

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs