For starters, forget about good practices or best practices. As you've already said, what you can manage is "good enough." So while knowing what your peers are doing is worthwhile, it doesn't necessarily aid your decision-making process. After all, as the old adage goes: If everyone else was jumping off a cliff, would you do the same thing?
To answer the question more specifically, there is, in fact, an analytical process you can perform to determine what is good enough for your enterprise. That process is called risk analysis. There are some great frameworks out there, but my favorite is Factor Analysis of Information Risk, or FAIR. In the end, though, the assessment doesn't have to be fancy, and you can easily build your own decision matrix using Hubbard-esqe estimations.
Regardless of your technique or process, you need to find out what resources are important to your enterprise. Start by talking with your CIO, and then interview the heads of the other business units as well. Find out what systems and data they care about and where they think that data is. This will give you a prioritized list to begin the assessment. If you don't have this list of prioritized resources, it doesn't matter if you use risk management or best practices or any other technique, in the end, it will all just be guesswork.
For more information:
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from David Mortman
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ... Continue Reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security... Continue Reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ... Continue Reading