Cybersecurity and Privacy Guide

Governance, compliance, and policy are all avenues for institutions to mitigate the risks that higher education faces in the growing complexity of cybersecurity in today’s environments. This section provides examples of policies, case studies, and templates that help leadership and cybersecurity and privacy practitioners implement proper Governance, Risk, and Compliance (GRC) programs now and in the future.

Jump ahead to:

Risk Management and Mitigation


Risk can be mitigated, avoided, transferred, or even accepted. Learn about the different ways you can manage the risk at your institution.

Cyber Resilience: The Future for Higher Education
Cyber resilience is fundamental for the future of higher education institutions. Improve on these three CISO-backed initiatives to strengthen cyber resilience at your organization.

Frequently Asked Questions about Cyber Insurance
As cyber insurance continues to be a challenge for institutions, this FAQ holds key questions that higher education stakeholders have found most challenging.

Higher Education Community Vendor Assessment Toolkit
The HECVAT is a questionnaire framework specifically designed for higher education to measure vendor risk. Before an institution purchases a third-party solution, they can ask the solution provider to complete a HECVAT tool to determine the extent to which information, data, and cybersecurity policies are in place to protect sensitive institutional information.

How Case Western Reserve University Responded to the Cybersecurity Insurance Crisis
Cybersecurity is becoming more expensive for higher education institutions. Case Western Reserve University is responding to the challenge by prioritizing its security controls.

The Importance of Risk Assessment When Reading Terms and Conditions
Campus privacy and security professionals can adapt these materials to build awareness of the importance of evaluating the terms and conditions and privacy policies when acquiring new software and hardware.


Policy Perspectives


The internet is everywhere and nowhere. Data flows from territory to territory, and various international, federal, and state laws and policies apply. This section will help you gain clarity about the overlapping nature of policies that affect your institution.

Federal Policy Perspectives on the EDUCAUSE 2023 Top 10 IT Issues
EDUCAUSE community members offer federal policy perspectives on the 2023 Top 10 IT Issues.

The Biden Administration Issues a National Cybersecurity Strategy
The Biden Administration has released a National Cybersecurity Strategy, a comprehensive plan to address today's most pressing cybersecurity issues. The National Cybersecurity Strategy does not explicitly include policies for higher education, but some policies may open or strengthen opportunities for institutions to participate in federally funded cybersecurity programs.


The Ongoing Challenge of Compliance


Once legal and regulatory implications are understood, compliance is next. This section provides what you need to ensure compliance with policies that impact higher education.

Cybersecurity Maturity Model Certification 2.0: What It Means for Higher Education
The first iteration of the Cybersecurity Maturity Model Certification program (CMMC 1.0) approached cybersecurity as an abstract set of rules that were largely removed from how security is practiced. The changes in CMMC 2.0 seem to be a direct response to the weaknesses of CMMC 1.0.

NIST 800-171 Toolkit
This toolkit provides an overview of NIST SP 800-171 and its implications for higher education, questions to ask during project planning, a link to 7 Things You Should Know About CMMC to use when speaking with stakeholders and leadership, and a customizable control evaluation.

Shielding Campus Data from the Bad Guys
The price for not adhering to data-protection regulations can be costly for colleges and universities. In many cases, the safest route to full compliance is partnering with experts who can help.

7 Things You Should Know about Cybersecurity Maturity Model Certification (CMMC)
Use this two-page resource to get essential information on the Cybersecurity Maturity Model Certification (CMMC), including potential implications and opportunities.

Connect with Your Peers on This Topic

GRC Community Group

Illustration of humans, digital messaging, and foliage.

EDUCAUSE Working Groups

800-171 Community Group

Illustration of humans, digital messaging, and foliage.