Cybersecurity Policy for College Trustees

The National Institute of Standards and Technology (NIST) Framework v2.0 is the gold standard cybersecurity resource for education, government and industry. The "framework" itself and the supporting technical documents are targeted to those people and teams responsible for implementing and support cybersecurity standards. Framework v2.0 is the newest version of the guidelines. Version 1.1 was the old standard. If you want to sound like you know what you're talking about, ask your President what version of the NIST Framework the IT department is following. If they say v1.1, ask them to review the new v2.0 guidelines. Buried deep within the NIST site, inside a Resource and Overview Guide , this summary ... The NIST Cybersecurity Framework (CSF) 2.0 can help organizations manage and reduce their cybersecurity risks as they start or improve their cybersecurity program. The CSF outlines specific outcomes that organizations can achieve to address risk. Other NIST resources hel...

The SANS Institute is a private, for profit organization that provides excellent cybersecurity training, certifications, programs, and resources.  The  SANS Institute offers a long list of  Cybersecurity and Information Security Policies and Standards templates. There are over 30 templates that your technical staff might be interested in. Here's a short list of policy templates... • Password Construction Standard • Network Device Management Policy • Perimeter Network Access Management Policy •  Artificial Intelligence Acceptable Use Standard That link again:   https://www.sans.org/information-security-policy .

The philosophy of the Cybersecurity Risk Foundation (CRF) is Advancing Cybersecurity Through Collaboration . That said, most of the resources, and membership, offered here are targeted towards leadership and or technical staff. With a membership, staff would have access to a wide variety of technical assessment tools and customizable resources, including policy templates, which might be of interest to trustees. I suggest trustees make leadership aware of these resources, but don't insist on membership or adherence to all the resources. This site, and membership in the organization, is just one more option for your leadership and technical staff. Visit: https://crfsecure.org/  and or the Governance and Risk Model page .

The SANS Institute is a private, for profit organization that provides excellent cybersecurity training, certifications, programs, and resources.  The SANS Institute offers a long list of Cybersecurity and Information Security Policies and Standards templates. From the SANS site:  In partnership, the Cybersecurity Risk Foundation (CRF) and SANS have created a library of free cybersecurity and information security policy templates to help organizations quickly define, document, and deploy key cybersecurity policies. To explore the full set of safeguards, risk, and maturity models behind these templates, visit https://crfsecure.org . If you don't already have a Cybersecurity policy in place, or if you want to compare yours to professional template, download the staff Education Management Policy here . From the SANS site: Building a strong security culture starts with effective education and training programs that empower employees with the knowledge needed to protect sensitive d...

The State of Ransomware in Education 2022 is report created by the well-known and respected security software vendor, Sophos . The key takeaway from the report: "The ransomware challenge facing education organizations continues to grow. The proportion of organizations directly impacted by ransomware has increased considerably over the last year. Furthermore, adversaries have an above-average success rate when it comes to encrypting data in an attack." There's much more in the report. The audience for this report is your college President and leadership team, but the Board needs to be aware of the rising cost of ransomware attacks on higher education. Get this report into the hands of your President.

The Federal Trade Commission's (FTC) Cybersecurity for Small Business Fact Sheets , while not focusing on education, but rather small business, offer terrific summaries of cybersecurity and workplace technology terms. As many college trustees are business managers or owners in their day jobs, you may find this information very useful. Download   Cybersecurity for Small Business  Fa ct Sheets  now.

What is cyber security? is a video created by a United Kingdom local government education organization. This three-minute video gives a concise, non-technical introduction to cybersecurity terms. The video is one of a series of technology videos created for local government UK leaders. While non-technical, are still informative. Clicking on the buttons below, Policy, Culture, etc... will take you to articles with similar themes.

The Cybersecurity and Infrastructure Security Agency  (CISA) is US government agency that provides information on, well, protecting electronic and non-electronic government resources! The Cyber-Essentials Guide  is a two-page handout with one side focusing on "leadership" essentials and the backside "IT Professional" essentials. The handout is an excerpt from the larger and more detailed  CISA Cyber Essentials Starter Kit. The  CISA Cyber Essentials Starter Kit  is something you should download too, as the document addresses the cultural as well as technical changes required for a successful cybersecurity policy. Start with the  The Cyber-Essentials Guide . Clicking on the buttons below, Policy, Culture, etc... will take you to articles with similar themes.

The SANS Institute is a private, for profit organization that provides excellent cybersecurity training, certifications, programs, and resources. The SANS Institute Leadership Conversation Cheat Sheet is a great, focused primer to discussing and explaining the importance of cybersecurity initiatives. Written for leadership, this non-technical document lays the groundwork for supporting cybersecurity initiatives as part of your organization's overall risk management program. Download the file  now and share it with your leadership team. While you're clicking, download this CISA Cyber-Essentials handout too. The conversation cheat sheet and this handout make for a great starter discussion with leadership. (These were the two handouts I distributed at the November 6, 2025 ICCTA meeting in Rockford.) Clicking on the buttons below, Policy, Culture, etc... will take you to articles with similar themes.