To add, also be sure the controller cannot be access from outside the lan unless you specifically need it.
In the latter situation, I recommend that you either use a vhost setup or use telnet-ssl (and change the outside port to something obscure) if you can employ NAT. EG: 22022 -> 2002 etc.
Also change the administrator and manager voice mail codes. (Form 50 mbox 999). Any person able to hit a mailbox from the outside can muck with these accounts.
I prefer to zero the Maint2, supervisor and attendant logins (or make them complex passwords and stash them somewhere).
Jim