Just writing down some idea's
Dual internet connection with failover
Share public range with BGP
Alternativly two public IP ranges with dyndns
OOB mananagement (open gear)
Redundancy starting at the SAN
Rule of thumb 2 of everything
HA firewall
HA switch (stack)
Vlans/networks LAN,WIFI, DMZ, DB, APP, VOICE, RSPAN, OOBMGMT, BACKUPS, MONITORING
Off site (cloud) backups or tape taken off site
Monitoring, graphing, alerting, PTRG, Netflow, SNMP
NTP server
TFTP server
config backup
radius and MFA (DUO) where possible
syslog (syslog-ng)
opendns (Cisco umbrella / dnsfilter)
IPS like security onion
Multiple DMZs or Private VLANS in your DMZ alternatively consider reverse proxy.