As many rules as there are *cough* experts *cough*
There are WAY too many variables involved to make one golden set of rules for all enterprises. If you have wall to wall developers, you first get them all to agree to a sensible approach (like all software that needs admin level lives in a VM where they can do whatever they like), but you know you need less lecturing on running unidentified code.
If you have people who mainly do word processing and admin, you can lock them out of admin without too many problems, and if we had software manufacturers who actualyl CARED about security they'd give us the option of installing at user level (i.e. without deep rights) or system wide. But they don't, which is why you have to avoid things like Adobe reader.
There are many ways to skin this cat, or (for vegetarians) to peel this banana. About the only thing you can do that is consistent is follow the index of ISO 27002 and get some of that in place. Those are common practices that have been established and kept up to date over years. Even if you don't implement it in full, it's still a very useful checklist. If you're coding, I found OSSTMM very helpful, and OWASP is quite a good approach to shake the tree a bit of you're online.
Oh, and if you're serious about wanting security to work, avoid OCTAVE like the proverbial plague (Ebola, thus), you can smell the "let's make lots of work for consultants" stench from quite a distance. I think that was mainly designed to blow a massive budget to make it appear someone was doing something useful, but it's way to granular to leave a working organisation after that has been applied. Which says something about the places where it has been implemented...