If I was starting from a blank state with structures of organisations - I'd generally tend towards divisional setups with depending on the amount of work DBAs tied to individual divisions. I would also put a DBA in the audit section who was not only tasked with monitoring fraudulent wreckless or incompetent database management but also spreading good practice and monitoring backups.

I would hope the slight tension between the audit dba and the section dbas would encourage enough competition to maintain good corporate governance going forward.

I'm not a great fan of limiting network privileges except for the most personal of data I think any improvement on perceived security is at the expense of flexibility and efficient management which in the long term leads to ignorance and incompetence which can be just as expensive as fraud.