The official docs only go as far to say put system above root and rename admin.php to something obscure - which is not security so much as it is inconveniencing bots that would otherwise simply try to hit domain.com/admin.php repeatedly, for example. I commonly hear (today on Twitter being an example) questions about what else one can do to secure expressionengine. Not being terribly knowledgable in this area myself, and so for my benefit and others, are there some #eecms security gurus out there that could share some of the essentials that everyone should consider doing?
You should also checkout Eric Lamb's Securitee ( http://devot-ee.com/add-ons/securitee ) add-on as a good next step in securing EE. It does a plethora of security checks to make sure that your system is as secure as possible through out the life of your site as security is not something that is set and forgot. From my experience harm doesn't usually come from hackers/bots but from people with to much access to the system. This also includes members that are granted temporary access but their access is never revoked, I know that in systems that I am added after development has been completed there are usually 2-3 super admins created for add-on developers to sort out a problem during development. While I am not saying that the add-on developers are going to wreck havoc on your site it is just another possible security hole that needs to be addressed.
Mark's booklet is a great read as is Eric Lamb's blog post about Securitee http://mithra62.com/blog/view/why-you-should-care-about-securitee