Preface
Almost no technology leaders get excited at the prospect of reviewing and updating their IT policies. It’s easier to put it off until next year. But this work is foundational to IT risk management, and because the work is so universally dreaded, I’ve watched what I call Governance Debt build up at institution after institution. This is the gap between the policies and standards an institution should have and the ones it actually maintains. This doesn’t happen because anyone decided policy didn’t matter. Instead, it happens because updating policies is the task everyone’s happy to defer.
When policies are updated, the work can be slow and frustrating. Governance committees spend an hour wordsmithing a single clause, or debating whether it’s really appropriate to enforce a standard requirement in an academic setting. The questions are fair, but without a shared picture of what a mature higher education IT policy program actually looks like, every one of them gets re-litigated from scratch. The effort drains energy before the committee reaches the decisions that matter.
After nearly three decades in higher education, I’d seen enough of this pattern to want a better solution. So I built this framework. I wanted to take the dread out of the process and give the sector something it didn’t have: a shared, evidence-based picture of what a mature IT policy program contains, so those debates start from common ground instead of a blank page. It doesn’t reflect one expert’s preferences, and it isn’t a generic control catalog written for another industry and retrofitted to campus needs.
This framework is a benchmark of what colleges and universities actually publish and what regulations and standards they reference in their published policy libraries. It draws on research across more than 400 institutions and catalogs the patterns in mature policies. An institution can use the included Self-Assessment to measure itself and quickly see where it stands.
That sums up the framework’s job. It’s part of a bigger mission. Boards, auditors, and insurers keep asking campus technology leaders the same three questions: do we have the right cybersecurity capabilities, the right policies, and the ability to execute? I created CampusCISO to help institutions answer all three, and to go further than any one team can alone. Since 2021, I’ve been building tools that help campus leaders compare their institution’s cybersecurity against peers and track progress year over year. This framework is the starting point to shore up IT policies and standards, and it’s something I wanted to be free for any institution to use.
For years, I applied this framework’s components to support advisory client work. With the 2026 Edition, I’m publishing the full framework openly for the first time. It’s free for any higher education institution or advisor to use, licensed under a Creative Commons license (CC BY-ND 4.0). That choice was deliberate. I built CampusCISO to make cybersecurity simpler and more defensible for the entire sector, not just for the institutions that hire me. Plus, a benchmark is more useful when everyone can measure themselves using the same process.
So use this as a tool to overcome your Governance Debt. Complete the Self-Assessment to score your policy library, then use it each year as your program matures to identify opportunities and track how far you’ve moved. If this resource makes the work a little less dreaded at even one institution, it will have done its job.
Chris Schreiber
Founder, CampusCISO
P.S. If you didn’t get this book through campusciso.com/it-policy-guide, I recommend signing up for the free Community Edition. This is the first time I’m sharing the framework outside my advisory practice, and I anticipate publishing a few revisions as I get feedback. By signing up with your email address, I’ll automatically send notifications when I publish revisions.