Securing a production system is not an easy task, since many things can break. One thing that these darn security auditors thought me, is that when installing from the ground up, always have security in mind -- the best time to test your security is with a brand new system which isn't in production. Keep this in mind when you'll update to a newer version of HP-UX. Bastille can be very useful but be careful when in production.
I couldn't say for Oracle and DP, but for your HP-UX servers one thing I suggest you try is running Nessus against all your servers, including your Windows EVA storage server. Nessus is available on Internet Express for HP-UX, but you might prefer just grabbing the lastest 2.x version for Windows. Be sure to update the plugins tree before your scan. Your security auditors will most probably use a network scanner like this to find out easy holes such as old OpenSSL versions and useless anonymous ftp or telnet/rlogin services.
IP Filter can be VERY USEFUL against network scanners, I use it very efficently now but it took quite some work. The advantage of IP Filter is that with this tool, you won't need to have to mess with inetd.sec, TCP Wrappers, Oracle filters and application-specific filters ever again.
If they ask for a valid, non priviledged login on your system to try to hack it, chances are they'll scan it for setuid files or known exploits. In that case, be sure to have every updated security patch available on your systems (use SWA or security_patch_check). Be sure you have no setuid or 777 files/directories. You can use my tool available here:
http://www.mayoxide.com/ncops if it can be of any help. Also check if you have any NFS-exported diectories, and disable root or read/write acces if possible. They might also run crack on your password database, if they can. With 11.11 you don't have shadow passwords so you'll need to convert to a trusted system, that's also a big step (I prefer shadow password). If you can't do this, at least disable all useless accounts and be sure that passwords are hard to guess. A password like AFgT%13$!; is the kind you'll need to consider.
Good luck
