Get up to very most recent OS X. A dot release in OS X disabled Firewire while the machine was sleeping, which is important because Firewire is basically a thin veneer around direct DMA access to system memory.
Enable FileVault. Unlike the feature that used to be called FileVault, modern FileVault is block-level AES-XTS encryption. (Before FileVault, my recommendation would have been to buy PGP WDE).
Tell the system to forget its key during sleep; the most recent rubber chicken to wave for this appears to be "sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25".
Power down your machine whenever you can; don't just shut the lid.
Buy Knox.app from AgileBits, which is a nice UI on top of the VFS-level block AES encryption OS X does. Create virtual disk drives for each of your clients, or each of your projects, or whatever. Create another for your mail; create another for personal documents. Give each a separate key (you'll rarely have all of them unlocked or need to use all of them). Do not store the keys in the Keychain.
Copy ~/Library/Mail's contents to the virtual disk you made for Mail and then replace ~/Library/Mail with a link to that disk; now, you'll need to have that virtual disk unlocked to read your mail.
Disable sharing; make sure every box in "Sharing" under Preferences is unchecked.
Enable the firewall and block all incoming connections; Preferences->Security->Firewall, Enable, Options->Block All Incoming Connections.
Get GPGTools and GPGMail (the most recent official build supports Mt. Lion nicely). Install them, and use GPG, from your Mac only, to send mail.
Do not supply your GPG private key to any service, ever.
Uninstall Dropbox. Sorry. Dropbox is fantastic. We ban it wholesale.
Though we can't use it for a variety of contractual reasons, I highly recommend Colin Percival's Tarsnap for backup.
Get up to very most recent OS X. A dot release in OS X disabled Firewire while the machine was sleeping, which is important because Firewire is basically a thin veneer around direct DMA access to system memory.
Enable FileVault. Unlike the feature that used to be called FileVault, modern FileVault is block-level AES-XTS encryption. (Before FileVault, my recommendation would have been to buy PGP WDE).
Tell the system to forget its key during sleep; the most recent rubber chicken to wave for this appears to be "sudo pmset -a destroyfvkeyonstandby 1 hibernatemode 25".
Power down your machine whenever you can; don't just shut the lid.
Buy Knox.app from AgileBits, which is a nice UI on top of the VFS-level block AES encryption OS X does. Create virtual disk drives for each of your clients, or each of your projects, or whatever. Create another for your mail; create another for personal documents. Give each a separate key (you'll rarely have all of them unlocked or need to use all of them). Do not store the keys in the Keychain.
Copy ~/Library/Mail's contents to the virtual disk you made for Mail and then replace ~/Library/Mail with a link to that disk; now, you'll need to have that virtual disk unlocked to read your mail.
Disable sharing; make sure every box in "Sharing" under Preferences is unchecked.
Enable the firewall and block all incoming connections; Preferences->Security->Firewall, Enable, Options->Block All Incoming Connections.
Get GPGTools and GPGMail (the most recent official build supports Mt. Lion nicely). Install them, and use GPG, from your Mac only, to send mail.
Do not supply your GPG private key to any service, ever.
Uninstall Dropbox. Sorry. Dropbox is fantastic. We ban it wholesale.
Though we can't use it for a variety of contractual reasons, I highly recommend Colin Percival's Tarsnap for backup.