Andy made an interesting comment regarding his interest in Trusted Platform Module (TPM) hardware based security to compliment the software controls in his environment. I'm not familiar with the 3rd party he refers to (Wave) though can highly recommend Windows Vista's Bitlocker implementation that takes advantage of TMP hardware if it's available.
We use TPM (v1.2) features to root the chain of trust in both system integrity and information integrity in hardware. It's a feature of the high end SKU of Windows Vista. No extra charge. If you don't have TPM v1.2 compliant hardware you can still benefit from much of the featureset including what used to be refered to as "Secure Startup" and "Full Volume Encryption(FVE)". Without TPM you rely upon a USB storage device as the root. With TPM you can use it on it's own or in conjunction with the USB device for additional multi-factor protection.