The next step is to come up with the various types of authentication you want to support (such as physical, simple log-on names and passwords, two-factor authentication, and so on) and which should be allowed for the various entry points, user types, data types, and data classifications.
Naturally, you must also determine how the various data should be protected. What data classification levels require what levels of protection? What data types should be protected by transport encryption? What types of data require encryption at rest? You need to answer all these questions to begin to tackle how to secure the various security domains.
Less is more secure
I find it immensely helpful to get rid of any assets that people aren't using or the business doesn't need. Review all the inventoried items and work with the business stakeholder to cut the non-essentials. If FTP isn't needed, get rid of it, and replace it with something more secure. If users don't need the data, delete it. If you can consolidate various entry points and authentication methods into fewer mechanisms, do so. Less is less complicated. Less is lower cost and easier to secure.
Finally, define all the ways to keep the various user types and security zones from encroaching on each other. Here you'll use routers, firewalls, access control lists, authentication, VLANs, IPSec, SSL, and all the other tools that let you define security domains. Creating security domains that stretch from the user type/entry point object to the final destination (system or data) is what you should strive to accomplish. It's nice to terminate a user's protected connection at a perimeter firewall or proxy, but much better to maintain that security domain all the way to the data. That way user types inside your perimeter have a harder time commingling in other security domains' data.
Of course, it's a huge project. You won't be able to do it all in one big push, but bite off what you can in a given year and try to accomplish it. What you can do will make your organization more secure. And what you can't do -- well, at least you'll have a clear view of your security challenges and the opportunities for improvement ahead.