For message security options, a good reference starter is here: http://www.cisco.com/en/US/docs/voice_ip_comm/connection/7x/administration/guide/7xcucsag210.html
As for accessing CUC, a few things:
1) For the Platform Administrator ID (used to login via console/SSH to CLI), ensure that you use a strong password.
2) Use separate accounts for administrative access to the web administration vs. user access to user web applications (PCA, etc). Additionally, CUC has "roles" that can be assigned to administrative or end user accounts to limit what a user can or cannot access.
3) Use the credential policies to set up a policy for administrative accounts and end user accounts. Make sure web password enforcement is strong (min 8 characters, no trivial passwords) and the same for end user voicemail passwords (e.g., min of 6 digits, no trivial passwords). You can also age out passwords so that administrators and/or users have to change their voice mail password (for phone) and web application password at a specific interval (e.g., 30/60/90 day), etc.
4) The other things to look for are that you do not run the DB Proxy service unless you need to (allows access to DB remotely via a user with a Remote Administrator role assigned). This is used for COBRAS migrations and etc...not typically needed day-to-day.
5) You can also lock down SMTP access to CUC using access lists (within CUC). Alternatively, you can allow untrusted SMTP connections but require authentication using TLS.
That should get you started.
Hailey
Please rate helpful posts!