Key Usage (sign) Boot machine. Read input (private key, to be signed, etc.). Supply two passwords to unlock key. Sign stuff. Write output (certificates, logs). Erase memory and disk. Shut down machine.
Off Site Backup (idle, sign, destroy) Separate safety deposit boxes for: private key media, password half, other password half. Each in its own tamper evident bag. (Should only be necessary for audit or destruction.) It's also possible to just generate new key.
Key Compromise Stop signing with key. Restore trustworthy service. Revoke old key.
Key Destruction (destroy) Simple. Round up all copies and destroy them. Protecting a private key by destroying it is a strategy that might be applicable more often than you think.