The book & the free framework · 2026 edition
A practical guide for the CIO or CISO who has policies but not a program the board can defend. Find the gaps that create real exposure, design for the shared governance and academic culture that make campus security different, and close them on a cycle your team can sustain. Grounded in policy research across 410 institutions, including every US R1 university.
Looking for the free CampusCISO IT Policy Framework? Get it here →

The core idea
The distance between what should be documented and what actually exists creates Governance Debt. Like deferred maintenance on a building, it follows predictable patterns and compounds over time. Regulations change, threats evolve, and best practices shift each year, while the documentation stays where it was when someone last had time to update it.
Measure your Governance Debt. Pay it down through an annual cycle your team can actually sustain. The goal isn't to fix everything at once. It's to stop the compounding.
When Governance Debt comes due, during a compliance audit, a cyber insurance renewal, or a federal grant review, it turns from a documentation gap into direct financial and legal exposure. The guide gives you a defensible way to prioritize what to tackle first and what can wait.
The 2026 landscape
Across 410 institutions, including every R1 research university in the United States, three patterns emerged. Each shows where your peers have built on solid ground and where the foundation is still thin.
01
Near-universal
Identity management is the one area where we found consensus across institutions of every size. Proof that sector-wide agreement on policy is possible when the incentives align.
02
57% R1 · 2% baccalaureate
Documented ransomware response procedures drop off sharply at smaller institutions. A written plan is the part of preparedness a team fully controls, and it separates a purposeful response from a scramble.
03
Unwritten practice
Critical technical practices, from system configurations to the workarounds that keep things running, live in senior staff members' heads instead of written standards. When people leave, the program leaves with them.
Beyond the three patterns, the 2026 study surfaces additional gaps where the regulatory environment or threat landscape has moved faster than institutional documentation, including research security, public versus private adoption differences, and applying CUI protections to Federal Student Aid data.
Inside the book
Less theory, more method. Each chapter turns a pattern from the study into something you can act on, so you finish with a plan you can take to leadership, not another list of what’s broken.
01
Separate the gaps that matter from the gaps that look bad on a checklist but carry no material risk.
02
FERPA, GLBA, HIPAA, CMMC, NSPM-33, export controls, state breach laws, and the CUI protections now applying to Federal Student Aid data.
03
Grounded in what institutions actually publish, and built to sit alongside NIST, CIS, and ISO rather than compete with them.
04
A 20-hour quick inspection for fast triage, or a 70 to 130-hour full inventory with prioritized gap analysis.
05
Turn the one-time cleanup into an annual cycle, so Governance Debt stops compounding instead of building back up.
Free framework
We made the CampusCISO IT Policy Framework free for any institution to adopt, because good governance shouldn't depend on budget.
CampusCISO® IT Policy Framework
The full reference this guide is built on: 17 policies and 24 standards drawn from observed practice across 410 institutions, how the structure was developed, and the self-assessment methodology for scoring where your institution stands. Released under Creative Commons, with a free Community Edition on Leanpub.
Get the free frameworkAbout the author
The guide and framework were written by Chris Schreiber, founder of CampusCISO, who brings nearly 30 years of higher education technology leadership. Before founding the practice in 2021, Chris held CISO roles at the University of Chicago, the University of Arizona, and the University of Wisconsin-Whitewater, and worked the vendor side at SunGard Higher Education (now Ellucian) and FireEye/Mandiant (now parts of Trellix and Google Cloud). He learned to navigate the friction of decentralized IT governance by living it.
3
CISO roles in higher education
130+
Institutions served since 2021
410
Policy libraries analyzed for this book
Prefer working together instead of a self-assessment?
The $399 IT Policy Diagnostic scores your library against the framework in two business days, shows where you stand against the higher education field, and hands you a prioritized list of your top policy gaps: the outside, expert read a self-assessment can’t give you.
Get the book, use the free framework, and build the annual cycle that keeps the debt from compounding.