Employ good trustworthy people that have an interest in the domain and the technology and encourage them to be responsible and empowered. Occasionally swap them out to give a chance for others to learn and review.
Setting procedures for security in my experience is always 10 steps behind the trouble.
The problem is that even if you do due diligence, people of questionable character still slip through. When I worked for the police department, we were going to hire another programmer. He'd gotten through our hiring process: polygraph, background investigation, interviews, fingerprinting, FBI records check, etc. Pretty extensive, not extensive as sworn law enforcement, but still fairly tough. Our IT director had lunch with a peer, mentioned that X was about to start. His peer replied "X? We fired his butt! He was caught [engaging in an act of self-gratification] in his cubicle!" We withdrew the offer to hire him.
You can hire people whom you think are trustworthy, but what constitutes trustworthy? I think that's something that can only be evaluated by watching someone's behavior over years, and then it's still easy to overlook something that could blow-up in your face. People's situations change, illness happens, sudden debts, drug use, and stealing/selling confidential information becomes much more tempting.
Treat your people well, pay them decently, make the work place a comfortable and pleasant place, and hope for the best. But you're still likely to have failures, it almost becomes a statistical certainty.
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]