The following should be a good start:
ip access-list standard sip-access-list
permit host [ip of your external SIP provider]
permit 192.168.100.0 0.0.0.255 [Modify to match IP range of internal SIP phones]
ip sip access-class sip-access-list in
Then for management of the box:
ip access-list standard admin-list
permit 192.168.100.0 0.0.0.255 [Modify to match IP range of internal hosts]
permit [any external management IPs that need to access the box]
line telnet 0 4
login local-userlist
shutdown ! [unless you really need telnet, best to shut it down]
ip access-class admin-list in
line ssh 0 4
login local-userlist
no shutdown
ip access-class admin-list in
http ip access-class admin-list in
http ip secure-access-class admin-list in
The following turn off some things that aren't usually needed and represent security risks, as well as hide passwords from casual snooping of the running configuration.
service password-encryption
no tftp server
no tftp server overwrite
no ip ftp server
no ip scp server
no ip sntp server
no snmp agent
On most devices you can type the following:
run audit security
show audit security
which will give some useful guidance and possibly a few red herrings but it's pretty good at finding big holes. It whines about SSH and HTTP timeouts over 15 minutes as high risk as well as having the HTTP server enabled at all, even if both are locked down to inside addresses by access lists as shown above.
Delete the "admin" user and create one or more username/password pairs unique to your needs. Change the enable password as well.
