UUK's recent policy document: Cyber Security: Protecting Universities from the Cyber Threat

Makes the following statement:

"Apply the 20 controls for effective cyber defence as set out on the Centre for the Protection of National Infrastructure website. Information on the 20 controls can be found here: http://www.cpni.gov.uk/advice/cyber/Critical-controls/. The website is dynamic so that it can deal with changes in technology and methodology, so it may be useful to revisit the controls on regular basis."

The top 20 critical security controls for cyber defence are a baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence. 

 Some of these are very challenging for universities, for example: 'Controlled use of administrative privileges'.   Does anyone have views on this?