IT INFRASTRUCTURE SECURITY POLICIES are broader in scope and depth than User Domain policies. As discussed in Chapter 9, User Domain policies focus on human access and data handling. The number of user-related policies can be limited because you can define specific user access requirements. There is also a practical matter of human capacity. When writing policies for the typical user, you must consider the capacity to learn and retain the information.

In contrast, the IT infrastructure is vast. The number of devices and possible access points are far greater. A single server may have hundreds of ports. Each port on a server is an access point that needs to be protected. Security policies define how ...