Database open to all in the organisation.
Database accessed via a PC application (written using Visual C++ 2008) which only ever uses sprocs to communicate to the database.
A dedicated username/password has been created for the database usage. This username/password is built into the application (so everyone will be using the same user/pass). Each person having there own account is not desirable. Not the best solution, but at least the username/password is not seen in the application in plain text (although no doubt can be seen in memory as such and transmitted along the network)
This account only has CONNECT and EXECUTE priviledges to appropriate tables in the single database.
No dynamic SQL is used in any sproc.
All sproc usage is logged with the IP of the client PC, date, time, command, etc.
Only the SQLSERVER port is open.
For any typical employee, the physical server is behind at least 3 locked doors (directors, behind one locked door. ceo - none)
Anything I've missed?