Useful for security officer
Microsoft Security Response Center who receives vulnerability messages and ensure that security updates go out then, has created a list of 10 important security aspects. 
10 immutable laws of security
1.If a malicious user can convince you to run his program on your computer so it is no longer your computer.
2.If a malicious user can modify the operating system on your computer so it is no longer your computer.
3.If a malicious user has unrestricted physical access to your computer so it is no longer your computer.
4.If you allow a malicious user to upload applications on your site it is no longer your website.
5.Weak password overrides the strong safety.
6.A computer is only as secure as the administrator is trustworthy.
7.Encrypted data is only as secure as the decryption key.
8.A out of date virus scanner is only marginally better than no virus scanner at all.
9.Absolute anonymity is not available either in reality or on the web.
10.Technology is not a miracle cure.
Some comments
# 2 and # 3
These two hung largely along when it comes to the attacks that are possible. Contains machine-sensitive information of any kind and you can not ensure the physical well-enough, make hard drive encryption and implement the right solution for "Best Practice" for the current product.
This also applies particularly Domain Control exchangers (and other) servers out on the smaller offices. Often these are not secured very well physically, and there are unfortunately many creative locations of the servers here, under desks or in cabinets, etc.
Two other things to think about with laptops:
1.A few companies have a local admin with the same password for all their machines. The more advanced do this regularly, but still is the same on all machines. What about when a laptop is lost? Potentially have as the person with the laptop now good time for him to crack the password of the common admin-user and can use that on all other computers in your network.
2.If a laptop is lost, you can ensure that a domain admin or user with extra privileges in the domain has never logged into it? If they have it, the person who now has the machine could potentially get the password hash for that user and take plenty of time to crack it. Or use a free online service that makes it relatively quickly, even with long and complex password. (Good server capacity and large rainbow tables can handle it).
# 10
This I think is incredibly important. It's easy to sit on good technical solutions and allow the technique to ensure safety. And the technology is definitely a role to play in providing excellent security solutions, but alone are this not enough. It needed rules for users, and not least, the IT department related to safety and everyone must know about these. It takes practice to deal with discrepancies and vulnerabilities.
And last but not least, training of users is extremely important! A user who has a minimum of understanding of security issues related to IT solutions is a far safer user. And people who understand a little more of the background to the rules (IT security regulations) is far more faithful to actually follow it.
Across all rules
I often get a question related to the desire to lock down the machine as much as possible, so that the user can not change things, etc. And it is in itself not difficult, but too often this is in a context where the user is local administrator. I know it's not easy always to get a general solution where users are standard users, but these two elements "lock down" and "user who has local admin" are two contradictions.
Fortunately, it has become easier to get to standard users on Windows Vista, and if you start to use Group Policy, it is also easy to centralize the management of exceptions, they must be local admin.
Take a look at the article 10 Immutable Laws of Security.
