Higher education IT governance, risk, and compliance (GRC) programs are in the development stage. Few institutions have all three programs in place, and many institutions are unclear where they should start when instituting or maturing their IT GRC programs. In addition, they are often uncertain as to whether GRC programs should be developed in parallel or separately. Institutions take various approaches in deciding which programs--IT governance, risk, and/or compliance--should be instituted. Ideally, all three would be in place, but resources and culture may dictate the priority and progress of IT GRC initiatives. There is consensus in who leads IT GRC programs--most often it is the CIO or the chief information security officer (CISO)--and these leads are generally given a relatively broad scope of authority. This 2014 study of IT GRC describes the current landscape of IT GRC programs in higher education; identifies aspects of the IT GRC environment that will aid CIOs, CISOs, and other leads to make decisions about IT GRC initiatives; and outlines steps institutions can take to become more mature in their IT GRC programs. Key findings include: (1) Formal enterprise or IT risk management and compliance programs are the exception rather than the rule; (2) Most institutions have a formal institutional governance body in place; (3) There are significant gaps between the perceived importance of specific risks and the effectiveness with which they are being addressed; (4) Maturity in IT risk management can be assessed along four dimensions: Communication/End-User Management, Acceptance, Risk Assessment/Management, and Investment; (5) Maturity in risk management is associated with stronger governance and compliance efforts and processes; (6) Fewer than half of institutions report that they effectively communicate about IT risks to all relevant parties; (7) Those with an IT governance body in place are more likely to involve others--particularly faculty, students, and alumni--in both IT budgeting and other IT governance decisions; and (8) Investment in risk management is associated with more progressive GRC efforts.