This chapter examined the risk associated with the User domain, one of the seven domains of an IT infrastructure. As the number of users grows on the network, their diverse needs also grow. Security policies are a structured way of managing the user-related risks in this complex environment. The chapter reviewed the many different types of users and discussed unique roles such as administrator, security, and auditor. With these roles often come elevated privilege and enormous responsibilities.
Security policies are an effective way to reduce risks and govern users. They help identify the higher risk activities such as those performed by systems administrators. The policies are based on principles that help apply security consistently. These principles include core concepts such as least access privileges and best fit access privileges. The principles lay out risk choices and must strike a balance between cost to maintain and risks to control. In the end, security policies can educate users, reduce human error, and be used to better understand how incidents occurred.