Reduce the number of profiles as much as possible
I believe that one of the main reasons why Salesforce profiles are neglected is because they are quite hard to maintain. Whoever is in charge of managing profiles won’t be able to do a good job if there are too many profiles. You can’t update them through the Data Loader yet, and the most efficient way is to create list views, which is relatively inefficient. There’s more information about this here: “Edit Multiple Profiles with Profile List Views“.
Keeping the number of profiles as small as possible is a best practice. The trick is to make the biggest group of users and think about common layouts, rights, record types and object permissions. An excellent way to start is by grouping your users by departments because they won’t use Salesforce the same way. For example, Marketing users will create leads and campaign whereas Sales users will create accounts and opportunities. Here, you don’t need to think about countries and hierarchy.
If you need to grant more privileges to some users among the same “department”, you can use permission sets. For example, some users will need more reporting capabilities, and you can create a permission set for this purpose.
Reduce rights and object permissions
Another common mistake is granting way too many permissions to Salesforce users. Granting all permissions is the easiest way for an administrator to get around the profiles administration problem. By doing this, the administrator will be less called upon, but that’s the worst way to handle the job. An admin has to deal with many permissions. I’d recommend to any organization to remove the delete permission on opportunities to have pipeline and billings insights. If everyone used to delete opportunities, they’ll contact the administrator and ask him/her for explanations. It’s going to take time, and it might be painful at the beginning, but reducing rights and object permissions is the best way to streamline processes and can save you a lot of troubles afterward.
Make it durable
You need to check few permissions. For example, the “Customize Application” allows someone to delete and create fields, to delete and create record types, page layouts… No one but system administrators should have this administrative permission.
Remember that anyone with the “Manage Profiles and Permission Sets” or “Assign Permission Sets” can potentially grant himself/herself the “Customize Application” permission set. Checking the “Setup Audit Trails” from time to time is an excellent way to ensure that no one in your company used this trick…