In managing security, there are some issues that you couldn't manage just by installing Anti-Malware or monitoring clients and endpoints. For example consider following scenarios:

1) Employees write down their user name and password and put in their table.

2) Employees giving their smart card to their colleagues.

3) Employees share their username and password with other people outside company.

In above example, you couldn’t control security by installing Anti-Virus or Monitoring infection or enforce user to use complex password. These are social engineering security issues that you will face in your organization. You should do a security assessment on your employees and their behavior. It is good idea to conduct a survey about what they do in different situation and why, for example:

1) Are you writing your password on paper or memorize it?

2) Are you sharing your information with other people?

3) If your system been compromised, what will you do?

4) Is your PC’s monitor is visible to other people?

It is better that you don’t ask about employee’s name or number and assure them about their privacy protection. Then review this information and come up with a plan. You plan should base on information that you collect and analyzing how people are doing their work and identify security risks. You could use Microsoft Assessment Planning Toolkit to help you in assessment. Once you done this, you could identify your security requirements and come with a plan for protecting your organization. Some of these issues should be done by other departments and you should be there in order to do that (you couldn't do these things remotely). For example, if a PC is in a location that is visible to everyone, then you should move it in other place. But for some other issues, you could use tools and private cloud solutions in order to deal with them. Forefront Identity Manager is one tool that could help you a lot, in term of account management. You could manage user’s password and smartcard using this tool. When you use FIM, you should define new policies base on your organization’s requirements. For example, if someone report that his or her smartcard been missing, you should block access of the smartcard number and replace it with new one. If you have a lot of cases that user forgot their password, you could setup policy that they could reset their password themselves.

You could use tools to simplify management and security using cloud solutions. But there are other issues and policies that you should be careful. You could use security tools on system, but you couldn't install them on the people.