Various legal mandates impose IT security management requirements on organizations that store and process personal, financial, and other types of sensitive data. Institutions that are not in compliance may face the loss of funding or other penalties. Some mandates specify security controls which can be complex and expensive to put into place. Implementing common controls across multiple IT systems can result in significant cost savings due to economies of scale. But challenges arise when attempting to implement an IT security control regime intended for an operational environment with centralized management and funding upon a research institution comprised of autonomous organizational units with disparate funding sources and heterogeneous IT systems.