This is what KEY Enterprise Solutions normally recommends for its clients:
Put the Domino server in a separate organization in case some of your databases have */org in the ACL, then cross certify the Domino server with internal servers
Put a password on the Notes server ID in case someone manages to steal it off your site
Encrypt all databases w/ the Notes server ID in case someone manages to steal your databases
Set all databases to enforce local security in case someone manages to get the database and the server ID
Turn off database browsing for web clients so people can't reach databases you didn't mean to publish
Set all databases to Default No Access so only validated people can get into databases
Activate SSL (whether self-certified or Verisign) to secure your network traffic to web clients
Turn on network encryption when Notes clients talk to the Domino server over the Internet
Protect all views you don't want accessed because web users can use the 3PaneUI parameter to see all your database views.
If you are using the Domino server as a Notes server, put files you don't want Web users to access in a directory with a DirLink and disable Domino's DirLink support to allow Notes users to use the DirLinks but not Web users.
Also from GroupAware:
Name your databases and URL's carefully. If users manage to go over hidden link or manage to browse your system, they may be able to guess what you are planning from URL names.