By far not sufficient when you get to that level of required security.
If there is no alarms, monitoring etc. and reinforced walls, a thief can potentially get inside without anyone noticing through another wall, ceiling or floor.
* Use linux with GRSEC
* All network daemons turned off
* Firewall all ingress, don't even allow ping etc.
* Firewall all egress, only make sure what's ultimately needed is accessible, potentially building a whitelist if possible
* No excess software what-so-ever, just what is ultimately needed
* ROOT account: No logins, create another account which can only be locally logon to, which can sudo. Password 16 chars, potentially automatically rotating. Possibly also having 2 factor authentication. You can trivially create this step by even creating a PHP Script as the shell :)
* USER account: Limited to only what is required, potentially chrooted to the exact data which is required to be accessible etc. Depends on the usability required
* Watch logins: More than 2-5 failed logins, shut the system down immediately using "magic" SYSRQ, wrong username? Instantly
* Full disk encryption, on top of which potentially using a bit obscure filesystem to make it that much harder to break. The required data should have 2nd level encryption unless doing that creates a potential attack vector on the first level encryption
* Potentially use hardware where you can review the firmware/bios if possible
* HW firewall "integrated" to the motherboard, motherboard network connectors are removed and hardwired to this HW firewall, so that even a skilled person would require atleast 20mins to bypass the HW Firewall
* HW Firewall configured in the same sense as the SW firewall, potentially with additional protections.
* Super Epoxy glue all connectors, modules etc. including the HW firewall buttons and it's mainboard into the motherboard etc. -> Stops quick tampering.
* Disk drives and CPU needs cooling, so CPU heatsink could use heat transfer glue to the CPU and super epoxy from the sides on to the motherboard. Disk drives can have little spacing with the super epoxy.
* The whole case is epoxied together/welded. No connector should be accessible, but peripherals mounted permanently with super epoxy to avoid inserting capturing devices directly.
* Braided stainless steel sleeves for all cabling to make splicing in harder.
* Epoxy on the other side of the peripherals as well ;)
FW Config: Potentially disabling all unencrypted connections, verifying against known certificates, no other connections allowed, if possible. Potentially also limiting data transfer rates so that if anyone tries to transmit data outside -> it will take long enough for security to take notice.
GRSEC configuration is very involved, but can be teached.
Process list should be verified and checked against.
This will create a secured SW + HW environment.
If you cannot use a motherboard/devices which firmware you can verify, the extreme FW measures taken (both SW + HW) should ensure no data gets transmitted without permission. It is highly doubtful that same organization can be behind a security hole in the motherboard AND the HW FW, but you can also create your own HW FW using things like Arduino where you would be the person creating the firmware as well.
Epoxy: Modern cars are glued together, so just use similar industrial strength epoxy.
In the end it's all about making accessibility slower if it's a highly skilled attacker with knowledge about the system upfront, which can potentially stop the attempted attack all together if it's deemed too secure.
BUT Security via obscurity is still not security, i see people changing their SSH ports, blocking Ping etc. but that doesn't really add to security, as the information can still be gathered very quickly.