Oh yeah.
I am also interested about it.
Add:
6. Use https to for the authentications. (Both Forum and ACP)
This seems built-in in 3.0 already.
After login, use un-encrypted http for normal access.
7. When ever someone trying to access ACP. Make a email notification.