SharePoint security model is officially called as "Three-tier administrative model". Such model allows to centralize configuration and management tasks, and differentiate administrative roles to be delegated to the appropriate people.
This model consist from the following levels
- Tier 1: Farm-level administrators
(Admins can manage Central Administration, but have limited actions on site levels. Farm administrators are members of the WSS_WPG and WSS_RESTRICTED_WPG groups on the computers where Central Administration is hosted)
- Tier 2: Shared service-level administrators
- Tier 3: Site collection administrators
(site collection administrator is a user with a flag in the content database that states they can perform all tasks within a site collection, including all tasks for specific sites with a site collection. This flag can be changed by using the Site Collection Administrators page in Central Administration, by using the Site Settings page on a top-level site, or by using the site owner operation with the Stsadm command-line tool)
Consider your security planning according this model.