CampusCISO IT Policy Framework Edition History
The framework is designed to evolve. Each year’s research measures observed practice across the sector, identifies items that may belong in the inventory, and adjusts classifications as adoption shifts. This appendix shows what changed between editions and why.
Throughout this document, prevalence figures reflect Tier 1 institutions with full documentation visibility. See the Methodology and Findings chapter.
2026 Edition
Summary
The 2026 Edition expands policy coverage from 13 to 17 items and standards coverage from 22 to 24 items, based on patterns identified in the 2026 CampusCISO IT Policy Study. Several items were reclassified based on updated prevalence data.
New Policies (4)
| Ref | Policy | Rationale |
|---|---|---|
| P-14 | Digital Presence / Web Governance | Observed at 9%; emerging governance area for domain management and institutional web presence |
| P-15 | Copyright Compliance / DMCA | HEOA compliance requirement; observed at 5% as standalone policy |
| P-16 | Identity Theft Prevention | FTC Red Flags Rule requirement; only 11% despite legal mandate |
| P-17 | Institutional Access to Electronic Information | Privacy boundary policy for access to user accounts and communications; observed at 5% |
New Standards (2)
| Ref | Standard | Rationale |
|---|---|---|
| S-23 | Security Exception Management | Formal waiver and deviation processes observed at 7%; critical for governance maturity |
| S-24 | International Travel Security | NSPM-33 and CHIPS Act requirements; only 6% despite research security imperative |
Reclassifications
Upgraded (prevalence increased or importance elevated):
| Ref | Item | From | To | Rationale |
|---|---|---|---|---|
| P-09 | Information Security | Common | Universal | Observed at 99% in 2026 study |
| P-13 | Third-Party Risk Management | Emerging | Common | Observed at 76%; sector maturation |
| S-13 | Server and Endpoint Management | Common | Universal | Observed at 95% |
| S-19 | Personnel Security | Common | Universal | Observed at 93% |
| S-21 | Ransomware Response Procedures | Emerging | Common | Observed at 57%; threat-driven adoption |
Downgraded (prevalence decreased or measurement refined):
| Ref | Item | From | To | Rationale |
|---|---|---|---|---|
| P-01 | Information Technology Administration | Universal | Common | Observed at 72%; v4.3 figure reflected smaller sample |
| S-08 | Backup and Recovery | Universal | Common | Observed at 84% in expanded sample; v4.3 figure reflected smaller sample |
| S-18 | Email Security | Universal | Common | Observed at 88% in expanded sample; v4.3 figure reflected smaller sample |
Sector-Wide Gaps Updates
Added:
- Identity Theft Prevention (FTC Red Flags Rule required, observed at 11%)
- International Travel Security (NSPM-33/CHIPS Act imperative, observed at 6%)
Methodology Changes
- Expanded sample from Tier 1 only to 410 institutions across all institutional tiers
- Introduced the 60% visibility threshold. Tiers below the threshold use visibility-limited labels instead of percentages, renamed from the earlier Common/Rare labels to High/Mixed/Low to avoid collision with the framework’s Common classification
- Standardized margin of error reporting to a single ±4% figure based on the standards Visible Sample (n=142)
- Revised quantitative scoring weights. Removed 5 points from Universal Policies and Universal Standards, and increased Total Policies and Total Standards weights from 5 to 10. The change maintains the 60-point maximum while giving additional credit to maintaining a comprehensive policy library.
Version 4.3 (December 2025)
Framework 4.3 was the production version used during the R1 census phase of the 2026 CampusCISO IT Policy Study. It established the 13-policy, 22-standard structure that formed the baseline for the 2026 Edition.
Key characteristics:
- 13 policies (7 Universal, 4 Common, 2 Emerging)
- 22 standards (11 Universal, 8 Common, 3 Emerging)
- 5 Sector-Wide Gaps
- R1-only prevalence data
Edition History Summary
| Version | Date | Policies | Standards | Sample Size | Key Changes |
|---|---|---|---|---|---|
| 2026 Edition (v5.0) | May 2026 | 17 | 24 | 410 (all tiers) | Multi-tier expansion, 4 new policies, 2 new standards |
| v4.3 | Dec 2025 | 13 | 22 | 187 (R1 only) | R1 census completion |
| v4.2 | Nov 2025 | 13 | 22 | 150 (R1 only) | Maturity boundary adjustments |
| v4.0 | Oct 2025 | 13 | 22 | 100 (R1 only) | Framework restructure |
| v3.x | 2024 | 11 | 18 | 50 (R1 only) | Initial empirical validation |
The 2026 Edition is the first publicly released framework. Earlier version numbers (v3.x through v4.3) reflect internal development milestones during the framework’s empirical validation period. Intermediate versions not shown (including v4.1) were internal builds with no structural impact on the published framework.
Where to go from here
Policy work can be tackled internally or with outside support. The CampusCISO offerings below map to a range of institutional needs.
Start with this framework. The CampusCISO IT Policy Framework, updated annually, is freely available at campusciso.com/it-policy-guide. The Community Edition is the foundation that all other CampusCISO IT Policy offerings build on. Institutions can use it on its own as a reference for self-directed work.
Build it with the guide. Building IT Policy Programs for Higher Education interprets the framework. It includes a light assessment workflow and a structured approach to building a development roadmap. An institution with the staff capacity and the patience will find everything it needs in the book to build a defensible IT policy improvement cycle.
Get a baseline diagnostic. The IT Policy Diagnostic delivers a 0-100 score and a prioritized gap list within two business days. It’s the fastest way to answer “Where do we actually stand?” with evidence to bring to leadership. Useful for new CISOs in their first 90 days, programs preparing for audit, and any institution that wants a defensible baseline without committing to a larger engagement.
Get a development roadmap. The IT Policy Roadmap provides a detailed review of every policy in an institution’s portfolio, peer benchmarking, and a sequenced development plan weighted by impact, cost, complexity, and regulatory support. Ideal for institutions that want to identify defensible improvement priorities.
Make it ongoing. CampusCISO membership turns governance from a one-time project into a continuous improvement cycle with ongoing access to expert advisory support.
For the full service catalog, visit campusciso.com.
Document Information
- Publication: CampusCISO IT Policy Framework
- Edition: 2026 Edition
- Originally Published: June 2026
- Next Review: April 2027
- Author: Chris Schreiber, Founder, CampusCISO
- Recommended Citation: Schreiber, C. (2026). CampusCISO IT Policy Framework (2026 Edition). CampusCISO.
- Availability: Freely available at campusciso.com/it-policy-guide