Assume that you are the boss of a company that lets staff have laptop computers. And that these laptops might contain confidential data.
How would you protect exposure of that data?
The “Wrong Way Computer Security Policy Person” would send out a directive that no confidential data is to leave the building unless it is encrypted.
That’s sounds reasonable. But not effective.
The “Right Way Computer Security Policy Person” would say “All laptop computers will have encryption installed and required by the settings on the computer. Laptop users cannot disable that encryption.”
Now you have an effective data protection policy.
And go further: all laptops have power-on passwords and strong user account passwords. And users do not run with administrator privileges. And any external drive (USB, etc) will be encrypted. And the CMOS settings will disable booting from anything other than the C drive. And there is a power-on supervisor password that prevents access to CMOS settings.
And you have procedures in place to check those settings any time the computer connects to the company network.
And a “one strike and you’re out” policy to enforce things.
Now you are a “Right Way Computer Security Policy Person”.
Other ideas? Use the comments.