Some good points, of course the usual issue with any of these suggestions. Management has to be onside, and enforcing these policies, since they almost always "get in the way" of the actual work people are trying to do.
My personal favorite is determining what level access the service/help desk bods have. If you want issues fixed by first level techs, then they need very high security access. Take that away and make them call loggers will result in better security, but shittier users, since you can't just get a file restored over the phone. Or when the sysadmin team who usually deal with 10-30 jobs per day are now required to do (for securitah!) various tasks the helldesk used to do, suddenly can't cope with 200+ calls logges per day.
For most organisations, you can call up, tell them you've come back from holiday, and can't recall your username ("It's usually already entered, but Bob's been using my computer") and could they reset your password too, and they'll just do it without batting an eyelid.
Very important is to check that how the system was designed is actually how it works. A number of times I've been told "but Bob doesn't have remote access" or "Bob isn't in the AD group for remote access" but since Bob is quite happily working away remotely (and has been for months) then there clearly is some difference between what is documented for remote working and the practise.
As for the HR forms for new staff.... Christ almighty. HR manage to fuck up more details than I can recall. Mainly spelling of names, mixing up surnames and first names, incorrect starting finishing dates, failing to record extensions of contracts, incorrect assignments of responsibilities, lack of signoff for security access. Most seem unable to deal with their actual jobs, managing to be ignorant of contract and employment law, and unable to revise contracts to resemble reality. Funniest was when my contract specified working hours (between 8am and 6pm Monday to Friday) for a role where I only worked 6pm to 12am plus weekends. I asked them to revise it five times, getting a "new" contract each time that was _exactly_ the same as the previous one. No matter how I spelled it out, I was classified as a service desk bod, and thus must only have the SD contract, even if the contract was flat out wrong.
If management and HR are competent, then a lot of policies will be sensible and enforced well. If they are numpties then no matter how good a techie you are, you'll get fucked by dumb decisions or dumb enforcement.