The Zero Trust Access Control Checklist for Higher Education

Strategy documents don’t reveal where a campus actually stands on zero trust. Twenty blunt questions do.

How to use this: the checklist below is a self-assessment for campus security, IT, and facilities leaders — four sections, five questions each, scored one point per “yes.” Under 8 means implicit trust is your operating model; 8–14 means the foundations exist and verification is the gap; 15+ means you’re sequencing waves, not starting. Answer honestly; the uncomfortable rows are the roadmap. (For the doctrine behind the questions, start at the definition.)

Section 1: Visibility — do you know your doors?

  1. Do you have a current inventory of every controlled door, mapped to the assets and populations behind it?
  2. Can you rank those doors by the cost of a wrong entry — regulated labs, data centers, residence halls scored above lounges?
  3. Do you know which card formats are deployed where, including the legacy formats that clone in seconds?
  4. Do you have any measurement of tailgating volume at your busiest doors, versus anecdote?
  5. Could you produce, today, a defensible list of who can currently open your five most sensitive doors?

Section 2: Credential integrity — what does the door actually verify?

  1. At your highest-risk doors, does entry verify the person rather than the token? (A card plus PIN verifies a token plus a secret; only biometrics verify the person.)
  2. Is credential sharing structurally impossible at any door — not prohibited by policy, but impossible?
  3. Are lost-card windows measured and bounded — the average time from loss to deactivation known and reported?
  4. Do any doors detect and flag unverified entry in real time?
  5. Where verification exists, is it liveness-checked, so a photo or screen can’t stand in for a face?

Section 3: Evidence — what can your logs prove?

  1. After an incident, can your access log attest to people rather than credentials at the affected door?
  2. Do unverified entries (tailgates, held doors) generate records at all, or do they simply not exist in your data?
  3. Would your access records survive the deposition question “how do you know who was holding the card?” for the doors named in your Annual Security Report?
  4. Are log-viewing permissions role-based and audited, treating door data with the discipline of any other sensitive record?
  5. For regulated spaces, do your records satisfy the framework’s actual question — who entered — rather than a proxy for it?
  1. Is physical access provisioned and revoked through the same joiner-mover-leaver process as accounts?
  2. Does separation or graduation revoke door access on a measured clock, not a semester lag?
  3. If you run biometrics anywhere: is enrollment opt-in, with consent recorded, auditable, and revocable?
  4. Does revocation delete the biometric template — verifiably — rather than flagging it inactive?
  5. Does a badge fallback remain at every verified door, so declining costs a student nothing?

What do you do with the score?

The pattern of failed rows matters more than the total. Failing Section 1 means start with inventory — nothing else sequences without it. Failing Section 2 with a decent Section 1 is the classic profile, and the five-stage roadmap is written for exactly that campus: verification waves at the doors your own scoring ranked highest, on the ACS you already run. Failing Section 3 alone usually means the data exists but governance doesn’t. Section 4 failures are policy work — the privacy playbook and a consent architecture, before any hardware.

One caution about checklists: they measure posture, not outcomes. A 17 with no incident-response process behind the flags is theater with good paperwork. Pair the score with a named owner for what happens when a door raises its hand.

Want a second set of eyes on your answers? Book a demo and bring the failed rows — that’s the working session in its natural form.

Frequently asked questions

How is the zero trust access checklist scored?

One point per yes across twenty questions in four sections. Under 8: implicit trust is the operating model — start with inventory. 8–14: foundations exist and verification is the gap. 15 and up: you are sequencing deployment waves, not starting from zero.

Which section of the checklist matters most?

The pattern of failed rows matters more than the total. Visibility failures block everything else; credential-integrity failures are the classic campus profile with a clear roadmap; evidence failures are governance work; lifecycle failures are policy work before any hardware.

Does a high checklist score mean the campus is secure?

No — checklists measure posture, not outcomes. A high score with no incident-response process behind the alerts is paperwork. Pair the score with a named owner for what happens when a door flags unverified entry, and revisit the failed rows on a schedule.