Balance, Daniel-san...
Being the IT geeks that we are, we are very reliant on engineering and technology to solve data access problems, but in reality, we need to strike a balance: Between technology and policy solutions and between access and security.
I think that there is a subset of situations and users for which these 'best practices' might be useful, but overall, achieving a complete level of lockdown on corporate systems sounds unworkable.
For those users that are using PCs for limited, repetitive activities (call centers, data entry, equipment control, etc), most of this list makes sense and sounds do-able. Some of the items on the list are universally good ideas: least privilege access, proper audits, rights management, etc. I have seen too many companies, from 3-person shops to large corporations, whose networks are so wide open that any discussion of security is laughable. The real problem is resources. Show me an IT shop that has the staff and know-how to properly administer these policies and audits, and I will show you an IT shop that has been slashed by 2/3 over the last two years.
Once you get past the basic 'good idea' part of the list, things get trickier. Even basic secretarial tasks in the modern office require some level of information sharing: emailing attachments, burning CDs for clients and staff, etc. Sure, you can send your junior desktop support admin over to the boss's secretary's PC to epoxy her USB ports, but don't come crying to me when your vacation request form goes missing.
I think that the real key is proper management at an executive level. An understanding of information management needs to start at the top with policies on what data is to shared and what is not. Users usually break policy rules because they have a real business need, not because they are devious - find out where the deficiencies are in legitimate data access and meet the needs of users so they don't have to get creative. If they break the rules for illegitimate data usage, punish those users accordingly and fairly.
Sometimes we in IT forget that computers are communications devices - they are inherently designed to move data. The act of placing a communications device in the hands of a user (especially laptops in the hands of remote users) without real policies on how that device is to be used is often the real problem. Yes, put engineering controls in place where practical, but understand their limitations as well. You must balance engineering controls with policy.
