Password protecting the BIOS and Grub should be done with care. If you do choose to follow this, and it is a very good idea, you need to make sure that there is an off line, secure way to access the password at 2AM. In the Navy, we would write out passwords and place them in an envelope, two of us would then seal and sign on the seam of the envelope, and then the envelope would be placed in a safe with two combinations. The safe could only be opened when both holders of the combinations were present, and both holders of the combinations needed to inventory the safe at the beginning and end of each watch.
OK, that might be taking it a bit far. But the point is that if you password protect the means to recover your server, you need to make sure that the password is both available off line and secure.