CampusCISO IT Policy Framework
Introduction
The CampusCISO IT Policy Framework (2026 Edition) is a benchmark of IT policy and governance practices in higher education. It’s grounded in annual research that now spans more than 400 colleges and universities.
This framework focuses on IT governance maturity: whether an institution has the right technology policies and standards in place. It does not assess operational security controls or technical vulnerabilities, which are addressed by other CampusCISO diagnostic instruments.
Behind that focus lies a harder question: what should a higher education IT policy program contain, and what should those policies actually say? Two common answers fall short. One is a single expert’s opinion. The other is a generic blend of control frameworks and lists of best practices, none written specifically for higher education. This framework takes a third path. It answers the question with evidence, drawn not from any one framework but from the patterns that recur across the sector’s actual practice.
Anyone who has spent time on a campus has seen paths worn into the grass where students take shortcuts instead of following the sidewalk. Urban planners call this phenomenon a “desire path,” and they study it to understand where the official infrastructure failed to match where people actually wanted to go. The same observational approach shapes this framework. We map the desire paths of higher education IT policy, distinguishing between the Universal requirements found at nearly every major research university1 and the Emerging practices that are still developing consensus.
Our research operates at two levels. At the document level, we identify which policies and standards higher education institutions publish. Those inform the inventory of 17 policies and 24 standards.
At the element level, we look inside those documents to see which specific details appear consistently across the sector. We then cross-reference what we observe with regulatory drivers and authoritative standards from NIST, ISO, NCSC 2, and EDUCAUSE.
The framework, as defined in its inventory of policies and standards, is where peer practice, regulation, and authoritative guidance converge into a higher education reference model.
This framework is a maturity rubric, not a control catalog. We identify which policy and standards topics higher education institutions actually document, without prescribing the specific controls within them.
The framework helps institutions move from reactive compliance work (audits, checklists, GRC cycles) toward continuous improvement of their IT policy programs. It provides the shared structural foundation that makes year-over-year improvement practical: validated topic guidance, prevalence-based classifications, and annual research that tracks how the sector evolves.
It complements control frameworks like NIST CSF, NIST SP 800-171, and ISO 27001 rather than replacing them. Control frameworks specify what technical safeguards to implement, while this framework shows what topics a mature IT policy program in higher education actually covers, and where an institution’s program stands relative to peers.
How to Use This Framework Document
- Benchmark: Comparing a policy library with a peer consensus to identify gaps.
- Assess: Using the included Self-Assessment to determine the institution’s Diagnostic Score.
- Prioritize: Focusing political capital on “Universal” items first, which represent the sector’s baseline for due diligence.
- Implement: Referring to the companion guide, Building IT Policy Programs for Higher Education, for rationale, drafting advice, and implementation strategies.
Related Publications
The CampusCISO IT Policy product family includes additional resources that complement this framework. The companion guide, Building IT Policy Programs for Higher Education (2026 Edition), provides strategic context, regulatory analysis, drafting advice, and implementation strategies for building a complete IT policy program. For the full catalog of related resources, visit campusciso.com/it-policy-guide.
Framework Structure
The framework’s structure mirrors how higher education institutions organize policy in practice. Two dimensions shape it: a governance hierarchy that distinguishes policies from standards by their place in an institution’s authority structure, and a prevalence classification that reflects how widely each item is adopted across the sector. The inventories that follow are arranged by both.
Governance Hierarchy
Mature institutions distinguish between policies, standards, procedures, and guidelines. This hierarchy assigns the right approval authority at each level: board-level policies change infrequently and require executive sign-off, while technical standards can be updated by IT leadership as threats evolve. Mixing these levels together creates either governance bottlenecks or gaps in oversight.
| Level | Purpose | Approval | Updates |
|---|---|---|---|
| Policy | WHY - Management intent | Board/Cabinet | Infrequent |
| Standard | WHAT - Technical specifications | CIO/CISO | As needed |
| Procedure | HOW - Detailed instructions | Department | Frequent |
| Guideline | Advisory (not mandatory) | Department | As needed |
Prevalence Definitions
The annual research determines each item’s classification by measuring its observed prevalence, and classifications shift between editions as sector practice evolves. Emerging items can move toward Common as adoption spreads. Common items can advance to Universal once they reach consensus. The Edition History documents how items have been reclassified across versions.
| Level | Definition |
|---|---|
| Universal | Observed at ≥90% of Tier 1 institutions. Legally or operationally essential. |
| Common | Observed at 50-89% of Tier 1 institutions. Indicators of well-developed security programs. |
| Emerging | Observed at <50% of Tier 1 institutions. Practices still developing sector consensus. |
Policy Inventory (17 Identified)
These board-level policies establish management intent and risk tolerance, delegating implementation details to standards and procedures. Prevalence data reveals which policies are baseline expectations versus emerging areas where the sector is still developing consensus.
The framework groups higher education institutions into five institutional tiers based on Carnegie Classification to enable peer benchmarking. Prevalence figures in this section reflect Tier 1 institutions (R1 research universities) with full documentation visibility. For tier definitions and the scoring formula, see the Methodology and Findings chapter. Individual institutional requirements vary based on regulatory environment, mission, and risk tolerance.
Tier 1 institutions anchor the framework because their programs are the most fully developed and documented in the sector. That makes them its clearest reference point, but most of what the framework measures applies to an institution of any size or type. Only a handful of items are tied to a specific mission, such as sponsored research or international travel. Every institution is measured against that same yardstick, and one of any type can still demonstrate strong maturity. Where a smaller institution scores lower, that often reflects how completely it has documented its program, not whether the governance matters to it.
Universal Policies (7)
| Ref | Policy Name | Prevalence | What to Look For |
|---|---|---|---|
| P-02 | Information Security Administration | 94% | Delegates authority to CISO for security program, incident response, risk management |
| P-03 | Acceptable Use of Information Technology | 100% | Acceptable and prohibited uses, user responsibilities, enforcement framework |
| P-04 | Data Handling and Classification | 97% | Institutional data ownership, risk-based classification levels, baseline handling requirements |
| P-05 | Privacy | 97% | Legal obligations for personal information (FERPA 3, GLBA 4, state laws) |
| P-06 | Incident Response | 95% | Crisis management framework, breach notification procedures |
| P-07 | IT Accessibility | 91% | Digital accessibility (ADA 5, Section 508 6, WCAG 7) |
| P-09 | Information Security | 99% | Adopted security framework, program scope, principles, governance structure |
Common Policies (5)
| Ref | Policy Name | Prevalence | What to Look For |
|---|---|---|---|
| P-01 | Information Technology Administration | 72% | Delegates authority to CIO for IT strategy, operations, resource management |
| P-08 | Business Continuity / Disaster Recovery | 73% | Institution-wide resilience planning, recovery requirements for critical systems |
| P-10 | Data Governance | 78% | Data ownership, stewardship, quality standards, lifecycle management |
| P-11 | Research Data Management | 79% | Federal sponsor compliance (CUI/CMMC 8, EAR 9, ITAR 10), builds on P-04. N/A if no sponsored research. |
| P-13 | Third-Party Risk Management | 76% | Vendor risk assessment, due diligence, ongoing monitoring requirements |
Emerging Policies (5)
| Ref | Policy Name | Prevalence | What to Look For |
|---|---|---|---|
| P-12 | AI Governance | 47% | Responsible AI use, data protection, bias awareness, academic integrity |
| P-14 | Digital Presence / Web Governance | 9% | Domain management, web content standards, institutional digital presence |
| P-15 | Copyright Compliance / DMCA | 5% | HEOA 11 compliance, Digital Millennium Copyright Act (DMCA) 12 response, P2P governance |
| P-16 | Identity Theft Prevention | 11% | FTC Red Flags Rule 13, identity theft detection and response |
| P-17 | Institutional Access to Electronic Information | 5% | Access to user accounts and communications, legal holds, privacy boundaries |
Standards Inventory (24 Identified)
Standards translate policy intent into technical specifications. While policies establish that data must be protected, standards specify encryption algorithms, password complexity requirements, and patch timelines. These standards represent the technical control areas most commonly documented at higher education institutions.
Prevalence figures in this section also reflect Tier 1 institutions with full documentation visibility.
Universal Standards (11)
| Ref | Standard Name | Prevalence | What to Look For |
|---|---|---|---|
| S-01 | Secure Configuration | 92% | Baseline configs for OS, applications, network devices |
| S-02 | Encryption | 98% | Data at rest/in transit, approved algorithms, key management |
| S-03 | Password and Authentication | 100% | Password complexity, MFA, passwordless requirements |
| S-04 | Network Security | 96% | Firewall rules, segmentation, boundary protection, monitoring |
| S-05 | Patch and Vulnerability Management | 96% | Scanning frequency, patch timelines, remediation SLAs |
| S-06 | Access Control and Identity Management | 99% | Identity lifecycle, privileged access, authorization frameworks |
| S-07 | Remote Access | 95% | VPN requirements, remote desktop security |
| S-09 | Security Monitoring and Logging | 94% | Log retention, SIEM requirements, event analysis |
| S-10 | Data Retention and Disposal | 97% | Retention schedules, secure deletion, destruction certificates |
| S-13 | Server and Endpoint Management | 95% | Server hardening, endpoint protection |
| S-19 | Personnel Security | 93% | Background checks, training, termination procedures |
Common Standards (9)
| Ref | Standard Name | Prevalence | What to Look For |
|---|---|---|---|
| S-08 | Backup and Recovery | 84% | Backup frequency, retention, recovery testing, off-site storage |
| S-11 | Cloud Computing Security | 81% | Cloud evaluation, configuration, shared responsibility model |
| S-12 | Mobile Device Security | 87% | University and personal device management, remote wipe |
| S-14 | Wireless Network Security | 85% | WPA3, guest isolation, rogue AP detection |
| S-15 | Change Management | 55% | Change approval, testing, rollback procedures |
| S-16 | Physical Security of IT Assets | 77% | Data center access, equipment disposal, clean desk |
| S-17 | Software Licensing and Installation | 73% | Approved software, license compliance, prohibited apps |
| S-18 | Email Security | 88% | Spam filtering, phishing protection, encryption |
| S-21 | Ransomware Response Procedures | 57% | Detection, containment, recovery, communication |
Emerging Standards (4)
| Ref | Standard Name | Prevalence | What to Look For |
|---|---|---|---|
| S-20 | Zero Trust Architecture | 7% | Identity verification, least privilege, micro-segmentation |
| S-22 | IoT / Connected Device Security | 23% | Device inventory, isolation, firmware updates |
| S-23 | Security Exception Management | 7% | Policy deviation requests, risk acceptance, waiver procedures |
| S-24 | International Travel Security | 6% | Device/data protection abroad, loaner devices, high-risk countries |
Framework Alignment
Explicit alignment to an established cybersecurity framework strengthens an institution’s security program by providing structured guidance, enabling peer comparison, and demonstrating due diligence to auditors and insurers.
Which framework an institution chooses depends on context. For example, research institutions with federal contracts often require NIST alignment, while institutions seeking international partnerships may benefit from ISO certification.
| Framework | Best For |
|---|---|
| NIST CSF 2.0 14 | Most institutions; strategic communication with leadership |
| NIST SP 800-53 15 | Detailed control implementation; federal compliance mapping |
| NIST SP 800-171 (Rev 2/Rev 3) 16 17 | Institutions handling CUI, from DoD research to federal student aid tax information (CMMC requires Rev 2; ED and other federal programs transitioning to Rev 3) |
| CISA Cross-Sector CPGs 2.0 18 | Resource-constrained institutions; prioritized baseline of high-impact practices |
| ISO 27001/27002 19 | International partnerships; certification requirements |
| Cyber Essentials 20 | UK partnerships and lean institutions; certifiable baseline of five technical controls |
Example Approaches to Policy Structure
Institutions organize their policy and standards libraries in different ways, and no single structure is required. The examples below range from strict mapping to one NIST control set, to consolidated libraries that hold policy and standard content together, to custom controls catalogs. Each institution publishes its structure openly.
| Institution | Notable Characteristics |
|---|---|
| Indiana University 21 | Pure NIST 800-53 alignment, 16 standards mapped to control families |
| Wisconsin-Madison 22 | 30+ numbered IT policies in a single library covering both policy and standard content |
| Penn State 23 | 14 security standards, CISO Advisory Committee |
| Texas A&M 24 | 21-family Controls Catalog with DIR/NIST alignment |
| University of Florida 25 | Archer-based CSF maturity assessment |
| UNC Chapel Hill 26 | Multi-control-family MSS with OWASP ASVS |
The Self-Assessment and Diagnostic Score
The framework includes a Self-Assessment that produces a single Diagnostic Score from 0 to 100. The score is designed to gauge an institution’s policy and governance maturity relative to the sector, without requiring the institution to adopt or map to any particular control framework.
Cybersecurity programs in higher education vary widely in which frameworks they follow and how they document their controls. Rather than measuring an institution against the specifics of NIST, ISO, or any single standard, the Diagnostic Score looks for the macro patterns that signal a mature policy program: whether the right topics are documented, whether governance roles and approval authorities are clear, and whether standards translate policy intent into technical specifications. Measuring at that level normalizes the variation across the sector into one consistent score, which supports two kinds of comparison: an institution against its peers, and an institution against itself over time.
| Level | Score | Interpretation |
|---|---|---|
| Mature | 80-100 | Comprehensive coverage, established governance |
| Developing | 50-79 | Good coverage, most Common items present |
| Foundational | 25-49 | Basic coverage, informal governance |
| Minimal | 0-24 | Limited coverage, significant gaps |
The Self-Assessment worksheet and its scoring formulas appear in Appendix A. A printable PDF version is available as a download with this book and with the companion guide, Building IT Policy Programs for Higher Education.
The 2026 Edition uses US R1 research universities as the operational definition of “large research university.” To define the prevalence of specific policies and standards across higher education, we completed a census of large research institutions in the US. The framework is intentionally structured to support expansion to non-US institutions in future editions, where the reference group will include international equivalents to the US R1 institutions.↩︎
UK National Cyber Security Centre, Cyber Assessment Framework (April 2024), https://www.ncsc.gov.uk/collection/cyber-assessment-framework.↩︎
Family Educational Rights and Privacy Act (FERPA) (1974), https://www.ecfr.gov/current/title-34/subtitle-A/part-99.↩︎
Federal Trade Commission, Standards for Safeguarding Customer Information (Safeguards Rule) (2023), https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314.↩︎
Americans with Disabilities Act of 1990, Pub. L. 101-336 (1990), https://www.ada.gov/law-and-regs/ada/.↩︎
U.S. General Services Administration, Section 508 of the Rehabilitation Act (29 U.S.C. § 794d), as amended (2018), https://www.section508.gov/manage/laws-and-policies/.↩︎
World Wide Web Consortium, “Web Content Accessibility Guidelines (WCAG) 2.2,” October 2023, https://www.w3.org/TR/WCAG22/.↩︎
U.S. Department of Defense, Cybersecurity Maturity Model Certification (CMMC) Program (2024), https://dodcio.defense.gov/CMMC/.↩︎
U.S. Bureau of Industry and Security, Export Administration Regulations (EAR), https://www.bis.gov/regulations/ear.↩︎
U.S. Department of State, Directorate of Defense Trade Controls, International Traffic in Arms Regulations (ITAR), https://www.state.gov/bureaus-offices/under-secretary-for-arms-control-and-international-security-affairs/bureau-of-political-military-affairs/directorate-of-defense-trade-controls-pm-ddtc.↩︎
Higher Education Opportunity Act, Pub. L. 110-315 (2008), https://www.congress.gov/bill/110th-congress/house-bill/4137.↩︎
Digital Millennium Copyright Act, Pub. L. 105-304 (1998), https://www.congress.gov/bill/105th-congress/house-bill/2281.↩︎
Federal Trade Commission, Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 (2024), https://www.ecfr.gov/current/title-16/chapter-I/subchapter-F/part-681.↩︎
National Institute of Standards and Technology, NIST Cybersecurity Framework 2.0 (February 2024), https://www.nist.gov/cyberframework.↩︎
National Institute of Standards and Technology, Security and Privacy Controls for Information Systems and Organizations (September 2020), https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final.↩︎
National Institute of Standards and Technology, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, Revision 2 (February 2020), https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final.↩︎
National Institute of Standards and Technology, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, Revision 3 (May 2024), https://csrc.nist.gov/pubs/sp/800/171/r3/final.↩︎
Cybersecurity and Infrastructure Security Agency, Cross-Sector Cybersecurity Performance Goals, Version 2.0 (December 2025), https://www.cisa.gov/cross-sector-cybersecurity-performance-goals.↩︎
International Organization for Standardization, ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems — Requirements (2022), https://www.iso.org/standard/27001.↩︎
UK National Cyber Security Centre, Cyber Essentials, https://www.ncsc.gov.uk/cyberessentials/overview.↩︎
Indiana University, “IT-12 Security Standards,” 2024, https://informationsecurity.iu.edu/policies/standards/index.html.↩︎
University of Wisconsin-Madison, “UW-Madison Policy Library: Information Technology Policies,” 2025, https://policy.wisc.edu/.↩︎
The Pennsylvania State University, “Information Assurance and IT Security (AD95): Policies and Standards,” 2024, https://security.psu.edu/awareness/.↩︎
Texas A&M University, “Information Security Controls Catalog,” 2024, https://it.tamu.edu/policy/it-policy/controls-catalog/index.php.↩︎
University of Florida, “UF Cybersecurity Framework (CSF) Maturity Assessment,” 2024, https://it.ufl.edu/security/security-guidance/uf-cybersecurity-framework-csf/.↩︎
University of North Carolina at Chapel Hill, “Information Security Controls Standard (Minimum Security Standard),” 2025, https://policies.unc.edu/TDClient/2833/Portal/KB/?CategoryID=25084.↩︎