Why would you connect a sensitive computer system to the public internet?
If I was worried about securing it I would simply cut all outside connections.
Once upon a time DOD had itself a very nice secure network, which they got all infected to hell and gone by connecting it to the Internet. It seems that this is a lesson that people have to learn the hard way.
Keeping something disconnected doesn't completely eliminate the possibility of malware infection, unless you fill the network and USB ports with epoxy and post an armed guard to keep people from digging the epoxy out. Frequently, when sensitive systems are compromised, it's via an authorized channel, such as a software update that was infected with malware.