Data Everywhere..... How Are YOU Dealing With It?

I read Computerworld's article Securing Data When Data Is Everywhere yesterday. The author writes about her challenges deciding how to address proliferations of Microsoft Access databases (holding information falling under HIPAA) across the enterprise.

I'm soooo glad I don't have to worry about this one any more. It quite literally kept me awake a few nights when I was a university dba. Microsoft Access and (more recently MySQL) has been the readily available reporting tool of choice in every organization I've worked for. I can't recall one that didn't have at least a few machines that stored results within Access -- for purposes of further analysis or longitudinal reporting.

Given the recent firing of two IT execs at Ohio University -- for data that may or may not have really been within their purview -- there's good reason for security departments to want to figure out how to deal with database proliferation.

I thought I'd post an OPEN QUESTION to the community -- how are you addressing this issue? Alternatively, how would you LIKE to address this issue? (And no, sending out an agent to delete all Access executables on the LAN doesn't count as an answer....)

I'll start:
* At my current employer, we sign off yearly on our understanding of company data/security policies and our laptops are managed and monitored fairly closely. Encryption software is provided, and use of said software is expected. (But then, we have a decent IT budget.) Still, truly securing customer data requires that my actions comply with the policies.

* At my last employer (a regional university) departments control and maintain their own hardware, with help from IT upon request. Some actually have a technical staffer, others muddle along as best they can. All "querying users" sign acknowledgement of their understanding of FERPA and the consequences of releasing data, but there's no technical guidelines in the document. Any machines accepting connections from others are required to be reported as "servers" to IT for tracking purposes.

These above employers are probably the two extreme ends of the "IT Control" spectrum, with most organizations falling somewhere between.

The more I ponder this, the more it feels like a business policy issue. Users are going to store data, electronically or on paper. That's a given. What's missing are best practices for protecting that data.

Recommendations? Best Practices?