Something I would add to the discussion, and a place where security is often forgotten is end user training.

Physical security (on the desktop side...MsMittens provided a good server/equipment security list), starts and often ends with the desktop user. You can't disable floppy drives and such on the desktop if it hampers user productivity. You can't make passwords SO complex that users have to write them down, or type too slow to allow shoulder surfers. And social engineering...

I think users need to be trained (and updated regularly) on safe security practices like locking your workstation when you get up (if you don't have network policy force a lock screen saver), not writing your password down, not allowing shoulder surfing, and how to be aware of possible social engineering attacks.

Back when I was doing some sys admin stuff, the big thing going around was phone calls claiming to be ATT or Local Carrier needing to test lines by having the user dial certain codes into the system...that would allow the incoming caller access to our outbound dial lines for free long distance.

Also, if you're a business, physical security should always cover your ISP/local carrier DMARK. Most will run the DMARK inside your building (and for a cost, whatever room you specify) so that it's secure. If you have an outside connection point, you have to have a way to secure it (like gore said...a walker and some gator clips can be an easy access point).

Also, if you're running wireless, you should limit your range to the INTERIOR of the building if possible. Don't allow access to spill out into the road, parking lot, or other floors (if you're in a large multi-tenant building).

That's all I have for now...