I’ve referenced the Australian Defence Signals Directorate’s Cloud Computing Security Considerations document in the past, but they have a lot of other resources available. Many of the references are wonderfully light on government-speak and bloat, and are downright informative and readable (amazing, I know).
Their Strategies to Mitigate Targeted Cyber Intrusions lists the top 35 mitigations for intrusions, and is a solid list- including not only efficacy ratings, but user resistance, and upfront and ongoing costs. They call out application whitelisting as the number one mitigation, and consider it mandatory.
Yes, they spell “defence” funny, but then they probably think Americans spell defense funny, too.