Governance Maturity · IT Policy family

Find the IT policy gaps before an audit does.

CampusCISO IT Policy engagements measure how complete, current, and defensible your policy program is, scored against how higher education institutions actually write and maintain their policies, not a generic template. Submit your policies; get a board-ready read grounded in benchmarking from hundreds of peer institutions.

Grounded in 400+ institutional policy libraries, updated as governance practice shifts

The IT Policy family answers the Governance Maturity question, one of the Three Lenses of Cyber Resilience that organize everything we do.

The Methodology

Four dimensions of a defensible policy program.

The assessment reads your governance program along four dimensions, then produces a single, clear read on governance maturity, not a binder no one has opened since the last audit.

01

Coverage

Do the policies you need actually exist?

Maps what's on the books against what an institution your size should have, and shows where the gaps are.

02

Currency

Are your documents current, or quietly out of date?

Flags policies that haven't kept pace with how the institution actually operates today.

03

Emerging risk

Has the program kept pace with new risk areas?

Checks for coverage of areas older policy sets never anticipated: artificial intelligence use, cloud services, and data governance.

04

Peer alignment

How does your program compare to peers?

Benchmarks how comparable institutions structure and maintain their policies, so your priorities are defensible.

Proactive governance

Surface your gaps on your schedule. Not an auditor's.

This is governance done on your terms, not compliance cleanup. Find and prioritize your policy gaps proactively, instead of discovering them when an auditor writes a finding or an underwriter asks for documentation you can't produce.

An actively maintained governance program is among the clearest evidence of due diligence you can produce for an auditor.

What the research shows

The gaps aren't random. They follow patterns.

Across 410 institutions, including every R1 research university in the United States, the 2026 study found governance gaps that cluster by institution type. Knowing the pattern tells you where to look first.

The Authentication Floor

Near-universal

Identity management is the one area where institutions of every size agree. Proof that sector-wide consensus on policy is possible.

The Ransomware Cliff

57% R1, 2% baccalaureate

Documented ransomware response procedures fall off sharply at smaller institutions, the part of preparedness a team fully controls.

The Oral Tradition Liability

Unwritten practice

Critical practices live in senior staff members' heads instead of written standards. When people leave, the program leaves with them.

2026 IT Policy Study

The Ransomware Cliff

Institutions with documented ransomware response procedures

Lowest and highest tiers, 2026 study

R1 research universities (Tier 1)

57%

Baccalaureate colleges (Tier 4)

2%

Source: 2026 CampusCISO IT Policy Study (n=410)

The full study and the framework behind it are free to read. See the IT Policy Guide for all three patterns and the full framework.

IT Policy family

Four engagement depths. One discipline.

Engage the IT Policy family at whatever layer fits your budget and maturity. The framework is free to read; the Diagnostic is the deliberate, low-risk entry point. Move further over time without changing disciplines.

Layer 1

Free

Community Resources

Published now

The CampusCISO IT Policy Framework (CC BY-ND 4.0), including the self-assessment methodology. Published and readable in full today.

Read the framework →

Layer 2

$39

Books & Courses

Published now

The CampusCISO IT Policy Practitioner Guide, teaching the methodology in depth. Published now, alongside the framework.

Explore the guide →

Layer 3

$399

2 business days

IT Policy Diagnostic

Primary entry point

0 to 100 Diagnostic Score for your institution

Peer benchmark against the higher education field

Policy inventory mapped against the CampusCISO IT Policy Framework

Prioritized list of 3 to 5 missing or outdated policies to address first

Personalized video overview of findings

30-day Cyber Bridge® coaching pass

$399 fee credits toward the Roadmap if you upgrade within 90 days

See the Diagnostic →

Layer 4

$4,999

10 business days

IT Policy Roadmap

Board-ready strategic roadmap built on Diagnostic findings

Prioritized recommendations with written narrative

Tier-level peer benchmarking against your CampusCISO Tier

A 30-minute strategy session to walk through the plan

See the Roadmap →

Annual memberships bundle the Diagnostic and Roadmap layers with sustained advisory support and Cyber Bridge® small-group coaching. This helps you maintain momentum and track progress against your baseline.

Who it's for

Start here when the question is governance and policy development.

IT Policy engagements answer whether your policy program is complete, current, and defensible, and show you what to fix first.

For the CISO

Preparing for an audit or a cyber insurance renewal, and wanting the gaps found and prioritized before someone else finds them.

For a new CISO

Wanting a defensible governance baseline in the first quarter, with a clear picture of what to fix first.

For any institution

Wanting to establish a regular cadence of policy review and refresh that aligns with peer institutions.

Governance isn't always the first question a CIO or CISO wants to answer. If the more urgent question is whether your deployed capabilities are adequate, start with Cyber Heat Map®. If it's whether your team can execute under pressure, start with TTX Coaching.

Questions

IT Policy, answered.

What do you need from us to run it?

Your IT and security policies and standards. Nothing sensitive: no playbooks, no personal data, just the documents that govern your campus. You submit them through the CampusCISO Portal, with no system access or site visit, and the Diagnostic comes back in two business days.

How is this different from a compliance audit?

An audit checks you against a fixed standard and writes findings. An IT Policy engagement is proactive governance work: it surfaces and prioritizes your gaps on your own schedule, while you still have room to act, and benchmarks you against how peer institutions actually maintain their policies.

What does the benchmark compare us against?

More than 400 institutional policy libraries analyzed across higher education. Because institutions often publish their policies, the benchmark is built partly from public sources and extended with de-identified data from engagements, so the comparison stays current.

Can we read the methodology first?

Yes. The CampusCISO IT Policy Framework is published under a Creative Commons license, and the CampusCISO IT Policy Practitioner Guide is published as well, so the method behind the score is readable in full before you engage.

Will this help with a cyber insurance renewal?

A maintained governance baseline is among the clearest evidence of due diligence you can put in front of an underwriter. Finding and closing gaps before a renewal is a lot easier than explaining missing documentation during one.

Start with a $399 Diagnostic.

A scored read on your governance maturity in two business days. No site visits, no open-ended billable hours.