The book & the free framework · 2026 edition

Most universities have IT policies. Few have a strategy behind them.

A practical guide for the CIO or CISO who has policies but not a program the board can defend. Find the gaps that create real exposure, design for the shared governance and academic culture that make campus security different, and close them on a cycle your team can sustain. Grounded in policy research across 410 institutions, including every US R1 university.

Looking for the free CampusCISO IT Policy Framework? Get it here →

Cover of "Building IT Policy Programs for Higher Education" by Chris Schreiber, 2026 Edition

The core idea

Higher education IT policy isn't a documentation problem. It's a governance problem.

The distance between what should be documented and what actually exists creates Governance Debt. Like deferred maintenance on a building, it follows predictable patterns and compounds over time. Regulations change, threats evolve, and best practices shift each year, while the documentation stays where it was when someone last had time to update it.

Measure your Governance Debt. Pay it down through an annual cycle your team can actually sustain. The goal isn't to fix everything at once. It's to stop the compounding.

When Governance Debt comes due, during a compliance audit, a cyber insurance renewal, or a federal grant review, it turns from a documentation gap into direct financial and legal exposure. The guide gives you a defensible way to prioritize what to tackle first and what can wait.

The 2026 landscape

Three patterns define higher education's policy landscape.

Across 410 institutions, including every R1 research university in the United States, three patterns emerged. Each shows where your peers have built on solid ground and where the foundation is still thin.

01

The Authentication Floor

Near-universal

Identity management is the one area where we found consensus across institutions of every size. Proof that sector-wide agreement on policy is possible when the incentives align.

02

The Ransomware Cliff

57% R1 · 2% baccalaureate

Documented ransomware response procedures drop off sharply at smaller institutions. A written plan is the part of preparedness a team fully controls, and it separates a purposeful response from a scramble.

03

The Oral Tradition Liability

Unwritten practice

Critical technical practices, from system configurations to the workarounds that keep things running, live in senior staff members' heads instead of written standards. When people leave, the program leaves with them.

Beyond the three patterns, the 2026 study surfaces additional gaps where the regulatory environment or threat landscape has moved faster than institutional documentation, including research security, public versus private adoption differences, and applying CUI protections to Federal Student Aid data.

Inside the book

What you'll know how to do after reading it.

Less theory, more method. Each chapter turns a pattern from the study into something you can act on, so you finish with a plan you can take to leadership, not another list of what’s broken.

01

Identify which policy gaps create real exposure

Separate the gaps that matter from the gaps that look bad on a checklist but carry no material risk.

02

Map your regulatory obligations to specific policies

FERPA, GLBA, HIPAA, CMMC, NSPM-33, export controls, state breach laws, and the CUI protections now applying to Federal Student Aid data.

03

Apply a framework of 17 policies and 24 standards

Grounded in what institutions actually publish, and built to sit alongside NIST, CIS, and ISO rather than compete with them.

04

Run a self-assessment at your team's actual capacity

A 20-hour quick inspection for fast triage, or a 70 to 130-hour full inventory with prioritized gap analysis.

05

Establish an annual review and refresh program

Turn the one-time cleanup into an annual cycle, so Governance Debt stops compounding instead of building back up.

Free framework

The framework is free. The guide shows you how to apply it.

We made the CampusCISO IT Policy Framework free for any institution to adopt, because good governance shouldn't depend on budget.

CampusCISO® IT Policy Framework

The full reference this guide is built on: 17 policies and 24 standards drawn from observed practice across 410 institutions, how the structure was developed, and the self-assessment methodology for scoring where your institution stands. Released under Creative Commons, with a free Community Edition on Leanpub.

Get the free framework

About the author

Built by someone who has lived the roles.

The guide and framework were written by Chris Schreiber, founder of CampusCISO, who brings nearly 30 years of higher education technology leadership. Before founding the practice in 2021, Chris held CISO roles at the University of Chicago, the University of Arizona, and the University of Wisconsin-Whitewater, and worked the vendor side at SunGard Higher Education (now Ellucian) and FireEye/Mandiant (now parts of Trellix and Google Cloud). He learned to navigate the friction of decentralized IT governance by living it.

3

CISO roles in higher education

130+

Institutions served since 2021

410

Policy libraries analyzed for this book

More about Chris →

Prefer working together instead of a self-assessment?

The book teaches the method. A Diagnostic applies it for you.

The $399 IT Policy Diagnostic scores your library against the framework in two business days, shows where you stand against the higher education field, and hands you a prioritized list of your top policy gaps: the outside, expert read a self-assessment can’t give you.

Measure your Governance Debt. Pay it down.

Get the book, use the free framework, and build the annual cycle that keeps the debt from compounding.