What you wrote sounds good to me. I want to suggest to keep an eye on the network-security arround your app:
- Use a (non-software) firewall to allow only needed traffic to your server.
- Stop all unnecessary services on that box.
- If mysqld is one of those services you could allow only connections from 127.0.0.1.
- Use an intrusion-detection-system like snort.
- Make someone responsible to do all security patches but remember to try those patches on a second box before you get hit by some nasty side-effects.
- Continously keep an eye on the logs.
- Plan the actions for a worst-case scenario!