Abstract
Higher education IT governance, risk, and compliance (GRC) programs are in the development stage. Few institutions have all three programs in place, and many institutions are unclear where they should start when instituting or maturing their IT GRC programs. In addition, they are often uncertain as to whether GRC programs should be developed in parallel or separately.
This 2014 ECAR study of IT GRC describes the current landscape of IT GRC programs in higher education; identifies aspects of the IT GRC environment that will aid CIOs, CISOs, and other leads to make decisions about IT GRC initiatives; and outlines steps institutions can take to become more mature in their IT GRC programs.