Implementation Roadmap
Phased delivery: Foundations (6 mo) → Program Maturity (18 mo) → Continuous Improvement (Year 3).
MFA to 100%
Phishing baseline simulation
KnowBe4 / Proofpoint deployed
Dependency: Phishing baseline
Vendor inventory completed
IRP documented
Tabletop exercise scheduled
Dependency: IRP documented
PAM deployed for admin accounts
Dependency: MFA to 100%
Tier-1 vendor questionnaires complete
Dependency: Vendor inventory
Contract clauses updated
Dependency: Tier-1 questionnaires
Click-through rate below 10%
Dependency: KnowBe4 deployed
First FERPA audit log review
Quarterly board scorecard running
Dependency: IRP documented
Click-through rate below 5%
Dependency: Click-through < 10%
Zero Trust fully implemented
Dependency: PAM deployed
Vendor monitoring automated
Dependency: Tier-1 questionnaires
Annual IRP test complete
Dependency: Tabletop exercise
ISO 27001 readiness assessment
Board charter annual review
Year 1 prioritizes human-factor risk reduction (phishing), identity hardening (MFA), and governance foundations (vendor inventory, IRP) because these deliver the highest risk reduction per dollar for a small college without extended procurement cycles.
Phase 1 Rationale
MFA enforcement and phishing simulation deliver the highest risk-reduction per dollar invested and can be deployed without extended procurement cycles. Vendor inventory and IRP documentation establish the governance foundation required for Phase 2 maturity milestones including PAM deployment and Tier-1 vendor questionnaires.
Phase 1
Months 1-6
$45K-$60K
MFA, phishing baseline, vendor inventory, IRP
Phase 2
Months 7-18
$15K-$28K
PAM, vendor questionnaires, FERPA audit
Phase 3
Years 2-3
Sustaining
Zero Trust, ISO 27001 readiness, automation