Leanpub Header

Skip to main content
Go to Leanpub.com

Building IT Policy Programs for Higher Education

2026 Edition

Chris Schreiber

Most universities have IT policies. Few have a formal strategy behind them. This guide uses data from 410 institutions to show higher education leaders where the sector's policy gaps are, how the unique dynamics of academic culture shape security programs differently than corporate or government environments, and how to close those gaps systematically.

Minimum price

$19.00

$39.00

You pay

$39.00

Author earns

$31.20
$
You can also buy this book with 1 book credit. Get book credits with a Reader Membership or an Organization Membership for your team.
PDF
EPUB
WEB
207
Pages
About

About

About the Book

Higher education IT policy isn't a documentation problem. It's a governance problem.

The distance between what should be documented and what actually exists creates Governance Debt, and it compounds the same way deferred maintenance does. When it comes due during a ransomware attack, a compliance audit, or a federal grant review, it transforms from a documentation gap into a direct financial and legal liability.

The evidence base: We reviewed the policy libraries of 410 colleges and universities, including every R1 research university in the United States, and studied what they actually published, where the gaps were, and how institutions across the sector are addressing them. The results form the 2026 CampusCISO IT Policy Study. This study is incorporated into a series of resources, including this book and free resources including the CampusCISO IT Policy Framework and IT Policy Assessment Worksheet.

Four patterns emerged from the 2026 study: an Authentication Floor that proves consensus is possible. A Ransomware Cliff where documented response procedures drop from 57% at R1 to 2% at baccalaureate institutions. A Research Security Gap where federal requirements outpace institutional documentation. And an Oral Tradition Liability where critical technical practices live in people's heads instead of written standards.

What you'll find inside:

  • The four diagnostic patterns and the prevalence data behind them
  • Why higher education security programs are fundamentally different from corporate and government approaches, and how to design for shared governance, academic freedom, and decentralized IT
  • A framework of 17 policies and 24 standards grounded in observed practice, built to work alongside NIST, CIS, and ISO guidance
  • Regulatory context for common higher education requirements, including FERPA, GLBA, HIPAA, CMMC, export controls, and state breach laws
  • A self-assessment methodology to measure your Governance Debt: an initial diagnostic in about 20 staff hours, or a comprehensive assessment path you can complete in 70-130 staff hours
  • A template for phased improvements with a stakeholder briefing template and guidance on prioritizing gaps

Who it's for: CIOs, CISOs, IT leadership, and governance committees at higher education institutions of any size.

Companion tools: The CampusCISO IT Policy Framework and IT Policy Self-Assessment are available as free downloads from www.campusciso.com.

Share this book

Categories

Computer SecurityBusiness and IT Alignment

Feedback

Contact the author

Installments completed

1 / 10

Author

About the Author

Chris Schreiber

Christian "Chris" Schreiber

Chris Schreiber is a cybersecurity strategist with nearly 30 years of experience helping colleges and universities build defensible information security programs. He is the founder of CampusCISO®, a higher education advisory practice that he's operated as a solopreneur since 2021. He is also the creator of the Cyber Heat Map® capability assessment framework and the founder of the Cyber Bridge® peer community for education technology leaders.

Chris treats security planning as a structural discipline rather than a compliance exercise. He uses artificial intelligence to eliminate the manual, labor-intensive friction of data collection and correlation. By stripping out the mechanical busywork that typically inflates consulting engagements, he focuses entirely on high-value architecture. He reviews capability data through the lens of nearly 30 years of hands-on experience, delivering deep, defensible expertise at a fraction of the traditional cost. His work is grounded in concrete reality, drawing on structured data from more than 200 institutional capability assessments and IT policy reviews from over 400 institutions.

He learned to navigate the friction of decentralized governance by living it. Before launching his own practice, Chris served as the Chief Information Security Officer (CISO) at the University of Chicago, the University of Arizona, and the University of Wisconsin-Whitewater. He also translated institutional needs into product realities inside vendor organizations, including FireEye/Mandiant (now part of Google Cloud) and SunGard Higher Education (now Ellucian). Today, he continues to guide the sector through advisory engagements with institutions and by serving on the Advisory Board of the George Mason University Cyber Resilience Center.

In his writing, Chris translates complex technical concepts into plain-spoken strategies. He writes extensively about cybersecurity governance, IT policy, and building pragmatic strategies for cyber resilience using portfolio approaches to prioritize improvements.

A regular speaker at EDUCAUSE and other higher education conferences, Chris holds a Master's Certificate in Project Management from the University of Wisconsin-Madison and a B.S. in Business Administration from Central Michigan University.

Contents

Table of Contents

Executive Summary

Chapter 1: The As-Built Standard

  1. Design Drawings vs. As-Built Reality
  2. The Stakes: What Happens When Governance Debt Comes Due
  3. The Promise: What a Well-Built Program Makes Possible
  4. The Blueprint Is Not Your Building
  5. Chapter 1 Key Takeaways

Chapter 2: The 2026 Policy Landscape

  1. A Yearly Snapshot of the Sector
  2. About the Data
  3. Three Patterns That Define the Landscape
  4. Additional Gaps Across the Sector
  5. Interpreting the Data
  6. What the Data Leaves Out
  7. Chapter 2 Key Takeaways

Chapter 3: The Site Conditions

  1. The Warning
  2. The Soil: Shared Governance
  3. The Light: Academic Freedom
  4. The Access: Open Campus
  5. Shadow IT: The Unofficial Infrastructure
  6. Chapter 3 Key Takeaways

Chapter 4: Framework Alignment

  1. The Defensibility Imperative
  2. Four Common Frameworks
  3. Right-Sizing for Your Team
  4. The Layered Approach
  5. The Metaframework Approach
  6. Chapter 4 Key Takeaways

Chapter 5: Structural Loads

  1. The Weight Your Building Must Support
  2. A. The Foundation: Universal Loads
  3. B. Environmental Loads
  4. C. Mission-Specific Loads
  5. Calculating Your Institution’s Regulatory Load
  6. Chapter 5 Key Takeaways

Chapter 6: The Blueprints

  1. The Load-Bearing Walls
  2. A. The Governance Hierarchy
  3. B. The Policy Inventory (17 Policies)
  4. C. The Standards Inventory (24 Standards)
  5. Chapter 6 Key Takeaways

Chapter 7: Designing for Research

  1. The Research Distinction
  2. Principal Investigators Are Entrepreneurs
  3. Research Computing: A Different Architecture
  4. How Research Governance Works
  5. How Research Data Flows
  6. Chapter 7 Key Takeaways

Chapter 8: Designing for the Highest Tiers

  1. The Too-Many-Programs Trap
  2. Risk-Tiered Data Classification
  3. Minimize the Scope of Your Most Restrictive Tier
  4. Mapping Regulations to the Framework
  5. Supporting New Compliance Requirements
  6. What Makes the Layering Work
  7. From Structure to Execution
  8. Chapter 8 Key Takeaways

Chapter 9: Conducting the Inspection

  1. If You Only Have 20 Hours
  2. The Inspection Process
  3. Step 1: Gather Your Documentation
  4. Step 2: Create Your Inventory
  5. Step 3: Assess Against the Framework
  6. Step 4: Prioritize the Gaps
  7. Step 5: Document Your Findings
  8. Your Inspection Is Complete
  9. Additional Support For Your Assessments
  10. Chapter 9 Key Takeaways

Chapter 10: The Improvement Roadmap

  1. Why Annual Review Is the Standard
  2. The Prioritization Hierarchy
  3. Phase 1: Shore Up the Foundation
  4. Phase 2: Address the Structural Loads
  5. Phase 3: Future-Proof the Structure
  6. Building This Year’s Roadmap
  7. The Culture Work
  8. The Project Toolkit
  9. Chapter 10 Key Takeaways

Conclusion: The Path Forward

  1. Document Information

Glossary of Terms

Get the free sample chapters

Click the buttons to get the free sample in PDF or EPUB, or read the sample online here

Download Sample PDFDownload Sample EPUBRead Sample OnlineRead online

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.

You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!

So, there's no reason not to click the Add to Cart button, is there?

See full terms...

Earn $8 on a $10 Purchase, and $16 on a $20 Purchase

We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earned over $15 million writing, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub