Governance Maturity · IT Policy family
CampusCISO IT Policy engagements measure how complete, current, and defensible your policy program is, scored against how higher education institutions actually write and maintain their policies, not a generic template. Submit your policies; get a board-ready read grounded in benchmarking from hundreds of peer institutions.
Grounded in 400+ institutional policy libraries, updated as governance practice shifts
The IT Policy family answers the Governance Maturity question, one of the Three Lenses of Cyber Resilience that organize everything we do.
The Methodology
The assessment reads your governance program along four dimensions, then produces a single, clear read on governance maturity, not a binder no one has opened since the last audit.
01
Coverage
Maps what's on the books against what an institution your size should have, and shows where the gaps are.
02
Currency
Flags policies that haven't kept pace with how the institution actually operates today.
03
Emerging risk
Checks for coverage of areas older policy sets never anticipated: artificial intelligence use, cloud services, and data governance.
04
Peer alignment
Benchmarks how comparable institutions structure and maintain their policies, so your priorities are defensible.
Proactive governance
This is governance done on your terms, not compliance cleanup. Find and prioritize your policy gaps proactively, instead of discovering them when an auditor writes a finding or an underwriter asks for documentation you can't produce.
An actively maintained governance program is among the clearest evidence of due diligence you can produce for an auditor.
What the research shows
Across 410 institutions, including every R1 research university in the United States, the 2026 study found governance gaps that cluster by institution type. Knowing the pattern tells you where to look first.
The Authentication Floor
Near-universal
Identity management is the one area where institutions of every size agree. Proof that sector-wide consensus on policy is possible.
The Ransomware Cliff
57% R1, 2% baccalaureate
Documented ransomware response procedures fall off sharply at smaller institutions, the part of preparedness a team fully controls.
The Oral Tradition Liability
Unwritten practice
Critical practices live in senior staff members' heads instead of written standards. When people leave, the program leaves with them.
2026 IT Policy Study
The Ransomware Cliff
Institutions with documented ransomware response procedures
Lowest and highest tiers, 2026 study
R1 research universities (Tier 1)
57%
Baccalaureate colleges (Tier 4)
2%
Source: 2026 CampusCISO IT Policy Study (n=410)
The full study and the framework behind it are free to read. See the IT Policy Guide for all three patterns and the full framework.
IT Policy family
Engage the IT Policy family at whatever layer fits your budget and maturity. The framework is free to read; the Diagnostic is the deliberate, low-risk entry point. Move further over time without changing disciplines.
Layer 1
Free
Community Resources
Published now
The CampusCISO IT Policy Framework (CC BY-ND 4.0), including the self-assessment methodology. Published and readable in full today.
Read the framework →Layer 2
$39
Books & Courses
Published now
The CampusCISO IT Policy Practitioner Guide, teaching the methodology in depth. Published now, alongside the framework.
Explore the guide →Layer 3
$399
2 business days
IT Policy Diagnostic
Primary entry point
0 to 100 Diagnostic Score for your institution
Peer benchmark against the higher education field
Policy inventory mapped against the CampusCISO IT Policy Framework
Prioritized list of 3 to 5 missing or outdated policies to address first
Personalized video overview of findings
30-day Cyber Bridge® coaching pass
$399 fee credits toward the Roadmap if you upgrade within 90 days
Layer 4
$4,999
10 business days
IT Policy Roadmap
Board-ready strategic roadmap built on Diagnostic findings
Prioritized recommendations with written narrative
Tier-level peer benchmarking against your CampusCISO Tier
A 30-minute strategy session to walk through the plan
Annual memberships bundle the Diagnostic and Roadmap layers with sustained advisory support and Cyber Bridge® small-group coaching. This helps you maintain momentum and track progress against your baseline.
Who it's for
IT Policy engagements answer whether your policy program is complete, current, and defensible, and show you what to fix first.
For the CISO
Preparing for an audit or a cyber insurance renewal, and wanting the gaps found and prioritized before someone else finds them.
For a new CISO
Wanting a defensible governance baseline in the first quarter, with a clear picture of what to fix first.
For any institution
Wanting to establish a regular cadence of policy review and refresh that aligns with peer institutions.
Governance isn't always the first question a CIO or CISO wants to answer. If the more urgent question is whether your deployed capabilities are adequate, start with Cyber Heat Map®. If it's whether your team can execute under pressure, start with TTX Coaching.
Questions
Your IT and security policies and standards. Nothing sensitive: no playbooks, no personal data, just the documents that govern your campus. You submit them through the CampusCISO Portal, with no system access or site visit, and the Diagnostic comes back in two business days.
An audit checks you against a fixed standard and writes findings. An IT Policy engagement is proactive governance work: it surfaces and prioritizes your gaps on your own schedule, while you still have room to act, and benchmarks you against how peer institutions actually maintain their policies.
More than 400 institutional policy libraries analyzed across higher education. Because institutions often publish their policies, the benchmark is built partly from public sources and extended with de-identified data from engagements, so the comparison stays current.
Yes. The CampusCISO IT Policy Framework is published under a Creative Commons license, and the CampusCISO IT Policy Practitioner Guide is published as well, so the method behind the score is readable in full before you engage.
A maintained governance baseline is among the clearest evidence of due diligence you can put in front of an underwriter. Finding and closing gaps before a renewal is a lot easier than explaining missing documentation during one.
A scored read on your governance maturity in two business days. No site visits, no open-ended billable hours.