1. Start using a proxy server to let users out. Preferably with built-in url filtering. For example, usergate.
2. Block usb\cd on end user stations. At least through policy groups.
3. Separate the server part of the KVS into a separate vlan, separate the published services in the DMZ. Properly configure ACL.
4. Localize confidential information on network resources, issue access to it on the basis of requests that are agreed upon by either IS/ES or resource owners.
5. Make a small reminder for employees on the rules of information security - at least, as a good result, work out the information security policy at the enterprise.
6. Scan corporate external ip at least with port scanners (nmap), ideally with a vulnerability scanner (nessus for example)
7. It is important to convey to the management aspects of information security so that they understand how important it can be and in the future there were no barriers .. it should have been the first point)
And so on .. centralized storage, processing of logs, WSUS ...

1) If IS is understood as "staff control", then bet on all users
2) If IS is understood as "protection of data from leakage, etc.", then audit the risks and it will already be clear what needs to be protected from there => what specific steps need to be taken.

Information security, and not only it, begins with analytics. To begin with, the organizational structure of the enterprise, what departments there are, what they do, then collect all the information about the LAN of the enterprise, what goes where and where. Based on the data obtained, you can already begin to figure out in which control zones your employees of these departments will be located. Then it would not be bad to prescribe your rights and obligations as an IS Administrator (order or order of the head). Then figure out the budget. And do not forget that IB is not a one-time event, but a process.