diff --git a/1_checklist_introduction.md b/1_checklist_introduction.md
index bd43f9561ad9cee653144b7ffd88101d7371781f..2e1e7f48984bf4c7e3f1a66566ea89762dcbd2f8 100644
--- a/1_checklist_introduction.md
+++ b/1_checklist_introduction.md
@@ -1,17 +1,19 @@
 ---
 document set: DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
 title: Introduction
-author: Jonah Silas Sheridan, Lisa Jervis
-last modified: 10/10/2017
-version: "2.0, DRAFT NOT FOR PUBLIC USE"
+author: Jonah Silas Sheridan, Lisa Jervis for Information Ecology
+last modified: 10/26/2017
+version: "2.0, PEER REVIEWED"
 ---
 # Introduction
+
 ## Welcome!
-You hold in your hands (or are viewing on your screen) a set of documents made to help US non-profits step into the work of securing their information and communications from the threats against it. At the heart is a group of checklists focused around a range of topics identified by consultants in the field that intentionally recommend constrained, accessible practices to help protect against widely available attacks on networks and devices. Adopting them will help you minimize security incidents - and the disruption and cost of viruses, malware, ransomware and phishing attempts. While these checklists can't fully protect you against powerful or persistent adversaries, the practices in them can make it harder for such enemies to attack your systems.
+
+You hold in your hands (or are viewing on your screen) a set of documents made to help US non-profits step into the work of securing their information and communications from the threats against it. At its heart is a group of checklists focused around a range of topics identified by consultants in the field that intentionally recommend constrained, accessible practices to help protect against widely available attacks on networks and devices. Adopting them will help you minimize security incidents - and the disruption and cost of viruses, malware, ransomware and phishing attempts. While these checklists can't fully protect you against powerful or persistent adversaries, the practices in them can make it harder for such enemies to attack your systems.
 
 In addition to these lists of practices, this set contains a number of other tools and resources to help you succeed at implementing them:
 
-* Immediately following this introduction you will find [a tool](2_readiness_assessment_tool.md) with instructions for assessing an organization's existing capacities and areas to develop in order to successfully take on this type of work. Completing this tool  is recommended as a first step for all organizations.
+* Immediately following this introduction you will find [a tool](2_readiness_assessment_tool.md) with instructions for assessing an organization's existing capacities and areas to develop in order to successfully take on this type of work. Completing this tool is recommended as a first step for all organizations.
 
 * [Directions and a legend](3_directions_and_legend.md) explaining how to understand and use the checklists.
 
@@ -22,17 +24,19 @@ In addition to these lists of practices, this set contains a number of other too
 * An additional appendix of [Frequently Asked Questions](C_FAQ.md) has been added with information on these checklists' origins and design.
 
 ## About digital security
-Digital security is a popular topic these days at conferences, in the media and even around the dinner table. Yet in the deluge of information about nation-state actors, large scale attacks and major vulnerabilities, taking action remains difficult for small organizations. What does digital security even mean? And how can I get some it?
 
-Really digital security just means the set of practices used manage the risk of bad things happening due to of your organization's use of information and communications systems. That includes protecting them from being accessed, changed, or blocked by anyone or anything — internal or external, intentional or accidental — that shouldn't be able to do so. While we all spend a lot of time thinking about bad actors, sometimes the greatest risks are due to threats like fire or earthquakes.
+Digital security is a popular topic these days at conferences, in the media, and even around the dinner table. Yet in the deluge of information about nation-state actors, large scale attacks, and major vulnerabilities, taking action remains difficult for small organizations. Staff are often wondering, What does digital security even mean? And how can I get some it?
 
-The most effective security strategies, digital or operational, are based on the specific threats, vulnerabilities, and adversaries of your organization. This does not mean that a detailed analysis is necessary to get started improving your digital security practices. Many small U.S. organizations face a shared set of baseline threats and vulnerabilities due to a common reliance on the same systems and technologies and similar operating conditions. These documents are meant to help them address the risks associated with these common needs as a first step of improving their security stances.
+Really, digital security just means the set of practices used to manage the risk of bad things happening due to your organization's use of information and communications systems. That includes protecting them from being accessed, changed, or blocked by anyone or anything--internal or external, intentional or accidental--that shouldn't be able to do so. While we all spend a lot of time thinking about bad actors, sometimes the greatest risks are due to threats like fire or earthquakes.
+
+The most effective security strategies, digital or operational, are based on the specific threats, vulnerabilities, and adversaries of your organization. This does not mean that a detailed analysis is necessary to get started improving your digital security practices. Many small U.S. organizations face a shared set of baseline threats and vulnerabilities due to similarities in their operating conditions frequent reliance on the same systems and technologies. These documents are meant to help these organizations address the risks associated with these common needs as a first step in improving their security stances.
 
 ## About organizational security
-The adoption of new security practices always requires a **strong organizational commitment** as well as support from **organizational leadership**, because it changes the way you and your team work together. New tools and work flows are disruptive, even as they reduce your risk. It takes ongoing attention to turn policies and procedures into habits and to ensure that secure systems are regularly updated, working properly and free of unexpected activity.  The more you can build awareness about the particular threats your organization faces, the better you can select and commit to practices that will be useful for protecting your organization in its work. The more you can create a culture of learning and mutual support in your organization, the more success you will have in the uptake of secure tools.
 
-In these checklists we have identified solutions and practices across a range of levels of technical skill and organizational commitment that meet common threats that many, if not all, small organizations face. However, the effectiveness of these practices to protect from real threats is directly correlated with the investment you make in implementing them. Understand that there are always trade-offs associated with implementing new tools and effort is required of staff to learn to perform tasks in new ways.
+The adoption of new security practices always requires a **strong organizational commitment** as well as support from **organizational leadership**, because it changes the way you and your team work together. New tools and work flows are disruptive, even as they reduce your risk. It takes ongoing attention to turn policies and procedures into habits and to ensure that secure systems are regularly updated, working properly, and free of unexpected activity.  The more you can build awareness about the particular threats your organization faces, the better you can select and commit to practices that will be useful for protecting your organization in its work. The more you can create a culture of learning and mutual support in your organization, the more success you will have in the uptake of secure tools.
+
+In these checklists we have identified solutions and practices across a range of levels of technical skill and organizational commitment that meet common threats that many, if not all, small organizations face. However, the effectiveness of these practices to protect from real threats is directly correlated with the investment you make in implementing them. Understand that there are always trade-offs associated with implementing new tools, and effort is required of staff to learn to perform tasks in new ways.
 
-Treat digital security as the important organizational imperative it is by resourcing it appropriately and ensuring someone in your organization is responsible and given time to manage digital security in their ongoing work. Take the time to identify your most sensitive information and communications to prioritize. Provide staff and volunteers the time, support, resources and training needed to adopt any practices you undertake from these lists. In these ways you assure that the more you put in to securing your systems, the more you will lower your risk of bad outcomes.
+Treat digital security as the important organizational imperative it is by resourcing it appropriately and ensuring someone in your organization is responsible and has time in their workplan to manage digital security in an ongoing way. Take the time to identify your most sensitive information and communications in order to prioritize. Provide staff and volunteers the time, support, resources, and training needed to adopt any practices you undertake from these lists. In these ways you ensure that the more you put in to securing your systems, the more you will lower your risk of bad outcomes.
 
-***Although these practices are highly recommended they do not in and of themselves constitute a successful security practice. Information security is an ongoing process of managing risk and no list of procedures is an adequate replacement for a thorough review of what information you are protecting, why and from whom paired with an organizational commitment to shifting operations to mitigate risk. Information Ecology, RoadMap Consulting and Common Counsel are not liable for negative outcomes associated with following these practices.***
+***Although these practices are highly recommended, they do not in and of themselves constitute a successful security practice. Information security is an ongoing process of managing risk and no list of procedures is an adequate replacement for a thorough review of what information you are protecting, why, and from whom, paired with an organizational commitment to shifting operations to mitigate risk. Information Ecology, RoadMap Consulting, and Common Counsel are not liable for negative outcomes associated with following these practices.***
diff --git a/2_readiness_assessment_tool.md b/2_readiness_assessment_tool.md
index 31769ef501800378a37e09dc9be392a0c32cd261..5058f5d99fb5a2f99e9c4c8332bb9a17f8ac6b7a 100644
--- a/2_readiness_assessment_tool.md
+++ b/2_readiness_assessment_tool.md
@@ -2,77 +2,80 @@
 document set: DRAFT DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
 title: Digital Security Readiness Assessment Tool
 author: Jonah Silas Sheridan, Lisa Jervis for Information Ecology
-last modified: 9/2/17
-version: "2.0, DRAFT NOT FOR FOR PUBLIC USE"
+last modified: 10/26/17
+version: "2.0, PEER REVIEWED"
 ---
 
 # Digital Security Readiness Assessment Tool
+
 ## Introduction
-This assessment tool is meant to help identify organizations where their most critical security needs lie in their . Many common information systems and technology practices are oriented around providing or supporting security outcomes. Because of that, organizations that have foundational technology capacity issues are best served by putting energy improving baseline systems before taking on new security initiatives.
 
-The tool is laid out as a number of items to assess broken across three categories: cultural hallmarks of security success, information technology operations that support security outcomes and digital security baseline capacities. Go through each section one by one.
+This assessment tool is meant to help organizations identify where their most critical security needs lie. Many common information systems and technology practices are oriented around providing or supporting security outcomes. Because of that, organizations that have foundational technology capacity issues are best served by putting energy improving baseline systems before taking on new security initiatives.
+
+The tool is laid out as a number of items to assess broken out across three categories: cultural hallmarks of security success, information technology operations that support security outcomes, and digital security baseline capacities. Go through each section one by one.
 
-For each item you should honestly grade your organization from 1-10. At the end of each category, there is space to put a subtotal for that section.
+For each item you, should grade your organization honestly on a scale from 1 to 10. At the end of each category, there is space to put a subtotal for that section.
 
 After you have completed all three sections, add up the three subtotals to get your total score.
 
-If you have a total score of 75, no section under 25 and no single item under 5 you should feel confident undertaking the rest of these checklists. Otherwise your organization should concentrate first on any areas of very low score and overall on building capacity in these foundational areas before pursuing additional digital security improvements. 
+If you have a total score of 75, no section under 25 and no single item under 5 you should feel confident undertaking the rest of these checklists. Otherwise, your organization should concentrate first on any areas where you have very low scores, and overall on building capacity in these foundational areas before pursuing additional digital security improvements.
 
-Even if at or above the thresholds indicated, be sure to note the places you have low individual or section scores and talk with your leadership and technology responsible staff to make plans to improve them as soon as possible. Not continually addressing these foundational capacities will likely undermine your security efforts over time.
+Even if you are at or above the thresholds indicated, be sure to note the places you have low individual or section scores and talk with your leadership and technology-responsible staff to make plans to improve them as soon as possible. Not consistently addressing and maintaining these foundational capacities will likely undermine your security efforts over time.
 
 ## Cultural Hallmarks for Security Success
+
 Score: ____      **Have a culture of training and learning, including strong technology training and follow up as part of new staff orientation procedures.**  
 *New tools and practices demand end-user training. If your organization doesn't have established practices around training--when new people are hired, when refresher trainings are needed, and when important processes change--implementing improved and possibly complex secure practices is nearly impossible. Beginning with documentation and training for new hires is a wise first step in this area. Following up with new employees at 30-day intervals will ensure they continue to get the support they need to do their work effectively and securely. When a new process is introduced, it is like everyone in your organization is new to it, so initial training with similar follow-up is recommended.*
 
 Score: ____      **Have a common and clearly communicated set of information systems that are administered by the organization and used with defined processes; ensure that all staff follow these processes effectively and are not using other systems for their work.**
 *If your staff are using personal file-sharing, email, task management, or other accounts without knowledge or guidance from the organization, not only will your efficiency suffer but the environment becomes impractical to secure. How can you protect things you have no access to at an administrative level or, worse yet, don't even know are in use? A good place to start figuring this out if by making an inventory, collaboratively with all staff, of all the places that your information is currently stored.*
 
-*An important way this issue shows up in your organization is the use of cloud services. While many organizations use their personal accounts on those systems, official organizational accounts are vastly preferable. If your organization is a registered US 501c3 non-profit, most cloud providers provide licenses for their applications for free or reduced cost, providing you significant capacity to centrally manage, back up, and monitor your information at a low cost.*
+*An important way this issue shows up in your organization is the use of cloud services. While many organizations use their personal accounts on those systems, official organizational accounts are vastly preferable. If your organization is a registered US 501c3 non-profit, most cloud providers offer licenses for their applications for free or at a discount, providing you significant capacity to centrally manage, back up, and monitor your information at a low cost.*
 
 Score: ____      **Have technology champions at all levels of the organization, especially leadership, and strong supervisory support and participation in systems adoption.**
-*Leadership for technology and operations within your organization can and should come from all levels. Junior staff and younger "digital natives" on staff often use or are open to using more technology in their work so can be motivated to participate in the planning and deployment of information systems and promote uptake among peers. Of course demonstrations of support for and engagement with technology initiatives from management are also powerful motivators for staff. Visible participation by executive leadership in training on and use of official organizational tools is a powerful modeling of preferred behavior and critical to changing organizational habits and culture.*
+*Leadership for technology and operations within your organization can and should come from all levels. Junior staff and younger "digital natives" on staff often use or are open to using more technology in their work so can be motivated to participate in the planning and deployment of information systems and promote uptake among peers. Of course, demonstrations of support for and engagement with technology initiatives from management are also powerful motivators for staff. Visible participation by executive leadership in training on and use of official organizational tools is a powerful modeling of preferred behavior and critical to changing organizational habits and culture.*
 
 Score: ____      **Have a complete policy set describing employees' responsibilities and limitations on their facilities, hardware, and information systems use.**
 *Legal and operating risk due to inconsistent expectations and behavior can hamper even the most well-designed security plan. Managing your risk, employee awareness, and compliance through a strong set of workplace policies around technology but also more generally will set you up for security initiative success.*
 
-Score: ____      **Develop and evaluate baseline non-technical security practices in an ongoing way**
+Score: ____      **Develop and evaluate baseline non-technical security practices in an ongoing way.**
 *If you do not control your office space and access to your computers, your other digital security steps can be easily circumvented by walking into your office. Rotate alarm system codes, door codes, wireless network passwords, and other access mechanisms (for example, emergency building access plans) when staff leave the organization. Sophisticated attackers can gain full control of a computer or network with even a short period of physical access to your space or digital access to unsecured systems. More importantly, non-technical security practices help build healthy habits and a culture of security in your organization.*
 
 Subtotal, Cultural Hallmarks: ____
 
 ## Information Technology Operations that Support Security Outcomes
 
-Score: ____      **Have a recurrent line item for technology in your budget**  
-*Security is an ongoing process and will require regular investments in computer equipment and software to be effective. Work with your technical support provider to determine an appropriate amount to put into this line item.*
+Score: ____      **Have a recurrent line item for technology in your budget.**  
+*Security is an ongoing process and will require regular investments in computer equipment, software, support, and training to be effective. Work with your technical support provider to determine an appropriate amount to put into this line item.*
 
 Score: ____      **Have regular and adequate technical support provided either by staff assigned via job description or contracted with outside agencies.**  
 *If your existing hardware and software are not well supported, introducing new tools and practices will likely meet with significant barriers, as new technologies and tools often demand significant ongoing technical support for proper setup and functioning. Your tech support providers are central to your ability to identify and protect your systems from attack, work they can't do if they don't exist. There are as many ways to obtain technical support as there are organizations. Talking to peer organizations in your area is a good way to find quality help.*
 
 Score: ____      **Regardless of technical support solution, have someone on staff assigned via job description to be responsible for technical operations, including managing technical support providers and systems upgrades.**  
-*No matter how you get your technical support needs, someone needs to have time and responsibility to manage the flow of ongoing support requests, to act as a point person for vendors and consultants, and to lead projects to improve infrastructure. Although this is critical when sourcing technical support services from outside of staff to ensure your organization is owning its own operations, it is perhaps even more important when assigning technical support responsibilities to someone on staff. If internal tech support doesn't have explicit time to put into systems changes and vendor management and can only spend time fixing broken hardware and software systems, your digital security initiatives will suffer from a lack of attention.*
+*No matter how you meet your technical support needs, someone needs to have time and responsibility to manage the flow of ongoing support requests, to act as a point person for vendors and consultants, and to lead projects to improve infrastructure. Although this is critical when sourcing technical support services from outside of staff to ensure your organization is owning its own operations, it is perhaps even more important when assigning technical support responsibilities to someone on staff. If internal tech support doesn't have explicit time to put into systems changes and vendor management and can only spend time fixing broken hardware and software systems, your digital security initiatives will suffer from a lack of attention.*
 
 Score: ____      **Provide relatively new and adequately powered computers to all staff.**  
 *Industry standard best practice is to replace laptops and desktops every 3 to 5 years. Encryption tools use a lot of power and can bring older, inadequately powered computers to a near halt, making some security steps untenable for staff. Money for replacing 1/3 to 1/5 of your computers each year should be part of your recurring technology budgeting.*
 
-Subtotal, Technical Operations: ____
+Subtotal, Technology Operations: ____
 
 ## Digital Security Baseline Capacities
 
 Score: ____      **Have a process for properly onboarding and offboarding staff and volunteers that includes attention to your information systems.**
-*The expansion or contraction of your team is a critical change in your security context, and so is an important moment to institute strong security measures. Your onboarding process should include detailed steps for the creation of accounts and instructions on how to determine and grant the correct and minimum permissions needed for that person's role. When a staff member or volunteer departs, ensure that any of the organization's data that is on their personal or work devices is copied and/or destroyed as necessary. Also at offboarding, all individual accounts belonging to the outgoing person should be deleted and any organizational passwords that they used or accessed in their work should be changed to something new.*
+*The expansion or contraction of your team is a critical change in your security context, and so is an important moment to institute strong security measures. Your onboarding process should include detailed steps for the creation of accounts and instructions on how to determine and grant the correct and minimum permissions needed for that person's role. When a staff member or volunteer departs, ensure that any of the organization's data that is on their personal or work devices is copied to relevant organizational systems and/or destroyed as necessary. Also at offboarding, all individual accounts belonging to the outgoing person should be deleted and any organizational passwords that they used or accessed in their work should be changed to something new.*
 
 Score: ____      **Make sure the computers and other devices you use, including personal devices that staff may use to access organizational information, are only running only the software expected, and only the most recent version of those programs. Have a plan to detect and remove malware, viruses, or other intrusive software and run update tools regularly.**  
-*As a digital security first step, ensure you are running antivirus software on all computers. Antivirus software for Macs and Windows computers is available to non-profits at a discounted rate through [Tech Soup](http://techsoup.org). If you haven't been running antivirus software or otherwise aren't sure about the status of your devices, you can have the operating system (OS) on them reinstalled to help guarantee the computers are free of malware and viruses. This is one benefit of adopting "cloud"-based tools for your organization's information, in that your data is readily available on a freshly installed system.*
+*As a digital security first step, ensure you are running antivirus software on all computers. Antivirus software for Macs and Windows computers is available to non-profits at a discounted rate through [Tech Soup](http://techsoup.org) (http://techsoup.org). If you haven't been running antivirus software or otherwise aren't sure about the status of your devices, you can have the operating system (OS) on them reinstalled to help guarantee the computers are free of malware and viruses. This is one benefit of adopting Internet-based tools for your organization's information, in that your data is readily available on a freshly installed system.*
 
-*When reinstalling, use a copy from the OS provider wherever possible. Computer manufacturers often bundle other software in their installs, which may impact privacy and security but may also contain specific tools for the hardware (especially in laptops). Immediately after installation of the operating system and common software tools, run software updates for both the operating system and, where needed, the other software you have installed. Run these update tools regularly.*
+*When reinstalling, use a copy from the OS provider wherever possible. Computer manufacturers often bundle other software in their installs, which may impact privacy and security (so you don't want them) but may also contain specific tools for the hardware, especially in laptops (so you may need them). Immediately after installation of the operating system and common software tools, run software updates for both the operating system and, where needed, the other software you have installed. Run these update tools regularly.*
 
 *Note that there are other ways in which your devices can be compromised at a level underneath the operating system; this cannot be remedied by an OS reinstall. If your computers have been handled by third parties you don't trust or out of your possession in a hostile environment, or if you suspect intrusion by powerful or well-resourced entities, get a new computer and call a security professional.*
 
 Score: ____      **Minimize or eliminate the use of shared accounts where more than one person, especially less-vetted parties like volunteers, can log in to your systems using the same credentials.**
-*While in the short term sharing accounts and login information can be expedient and lower licensing fees, the long-term ability to monitor and control access is more important to security outcomes. In addition, the disruption and security concerns caused by changing a broadly used password and sharing it around are potential costs that shouldn't be ignored. Sophisticated systems like GSuite or Office365 allow for "account delegation," where two people can share an account using their own distinct login credentials; this is a better way to solve these challenges than account sharing.*
+*While in the short term it seems expedient and can be cheaper to share accounts and login information, the long-term ability to monitor and control access is more important to security outcomes. In addition, the disruption and security concerns caused by changing a broadly used password and sharing it around are potential costs that shouldn't be ignored. Sophisticated systems like G Suite or Office 365 allow for "account delegation," where two people can share an account using their own distinct login credentials; this is a better way to solve these challenges than account sharing.*
 
-Score: ____      **Have a disaster recovery plan that includes making and testing regular backups of organizational data that are stored away from your main office site. Backup drives should be at a minimum stored in a physically secure location like a locking file cabinet or safety deposit box, and ideally encrypted so that only you can access them. Do not rely exclusively on third parties to back up and hold your information.**  
-*This digital security practice is a straightforward way to protect yourself from a whole host of events that could compromise your information's integrity or cause you to lose access to it; it is so critical that it needs to come before any other digital security steps. Talk to your technical support provider about the status of your backups and when restoring data from them they was last tested. Refer to [this guide](http://www.techsoup.org/disaster-planning-and-recovery) and/or [this webinar](http://www.communityit.com/resources/webinar-february-18-2016-backups-and-disaster-recovery-for-nonprofits/) for ideas on how to improve your disaster preparedness.*
+Score: ____      **Have a disaster recovery plan that includes making and testing regular backups of organizational data that are stored away from your main office site. Backup drives should at a minimum be stored in a physically secure location like a locking file cabinet or safety deposit box, and ideally encrypted so that only you can access them. Do not rely exclusively on third parties to back up and hold your information.**  
+*This digital security practice is a straightforward way to protect yourself from a whole host of events that could compromise your information's integrity or cause you to lose access to it; it is so critical that it needs to come before any other digital security steps. Talk to your technical support provider about the status of your backups and when restoring data from them they was last tested. Refer to [this guide](http://www.techsoup.org/disaster-planning-and-recovery) (http://www.techsoup.org/disaster-planning-and-recovery) and/or [this webinar](http://www.communityit.com/resources/webinar-february-18-2016-backups-and-disaster-recovery-for-nonprofits/) (http://www.communityit.com/resources/webinar-february-18-2016-backups-and-disaster-recovery-for-nonprofits/) for ideas on how to improve your disaster preparedness.*
 
 Subtotal, Baseline Capacities: ____
 
diff --git a/3_directions_and_legend.md b/3_directions_and_legend.md
index 81cba8be8af30dab485ee8c0b00d9fbb94ff74df..eba69f006ff475a554e3bad89eeb76b7c0d544d0 100644
--- a/3_directions_and_legend.md
+++ b/3_directions_and_legend.md
@@ -2,30 +2,32 @@
 document set: DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
 title: Directions and Legend
 author: Jonah Silas Sheridan, Lisa Jervis
-last modified: 10/24/17
-version: "2.0, DRAFT NOT FOR FOR PUBLIC USE"
+last modified: 10/26/17
+version: "2.0, PEER REVIEWED"
 ---
 # Directions for Use
 
 ## Before using these checklists
-The first item in the set is a Digital Security Readiness Assessment Tool. We recommend you use this tool to see how prepared your organization is to take on digital security upgrades.
 
-Since many foundational technology management and operations tasks underly digital security capacity, or are even digital security tasks themselves, this tool is broken into three categories: cultural hallmarks of security success, information technology operations that support security outcomes and digital security baseline capacities. Follow the directions on the tool itself to find out how prepared your organization is before proceeding.
+The first item in the set is a [Digital Security Readiness Assessment Tool](2_readiness_assessment_tool.md). We recommend you use this tool to see how prepared your organization is to take on digital security upgrades.
 
-If your level of preparation is low in any broad category, individual item or overall that is the place to begin building your digital security capacity. If you decide to move onto the checklists in the meantime, be aware that your outcomes may be limited by these organizational dynamics.
+Since many foundational technology management and operations tasks underlie digital security capacity, or are even digital security tasks themselves, this tool is broken out into three categories: cultural hallmarks of security success, information technology operations that support security outcomes, and digital security baseline capacities. Follow the directions for the tool itself to find out how prepared your organization is before proceeding.
 
-Continual attention to these foundational capacities is requisite to continue to have success in digital security efforts, so be sure to have a plan to keep improving your organization in these areas.
+If your level of preparation is low in any broad category, individual item, or overall, that is the place to begin building your digital security capacity. If you decide to move on to the checklists in the meantime, be aware that your outcomes may be limited by these organizational dynamics.
+
+Consistent attention to and maintence of these foundational capacities is necessary for success in digital security efforts, so be sure to have a plan to keep improving your organization in these areas.
 
 ## How to use the checklists
-Once your organization has the readiness needed to take on some new security practices, you should proceed to the checklists themselves. They are compiled around specific topical areas, namely device security, authentication, wireless networks and email.
 
-We recommend pursuing these checklists in the order they are presented in this set, excepting if you are using a specific platform, tool or technology with dedicated a checklist of its own (such as email, wireless or GSuite) in which case you should start there.
+Once your organization has the readiness needed to take on some new security practices, you should proceed to the checklists themselves. They are compiled around specific topical areas, namely device security, authentication, wireless networks, email, and, for those who use it, G Suite.
+
+We recommend pursuing these checklists in the order they are presented in this set, except that if you are using a specific platform, tool, or technology with dedicated a checklist of its own (such as G Suite) in which case you should start there.
 
 All items on the these checklists are meant to be actionable and accessible; each checklist item includes a brief explanation of what it means as well as, where possible, next steps for implementation.
 
-The icons accompanying each item will help you identify how hard to manage (as indicated by the :rocket: icons), technically difficult (as indicated by the :wrench: icons) and disruptive (as indicated by the :fire: icons) a given step might be to undertake. Be sure to pick practices which match the time and resources your organization has available.
+The icons accompanying each item will help you identify how hard to manage (as indicated by the :rocket: icons), technically difficult (as indicated by the :wrench: icons) and disruptive (as indicated by the :fire: icons) a given step might be to undertake. Be sure to pick practices that match the time and resources your organization has available.
 
-Be especially aware of the :fire: rating as it indicated disruption so only take on the ones with multiple :fire: icons if you have the space to spend time as an organization absorbing training overhead and work flow transformation.
+Be especially aware of the :fire: rating, as it indicates disruption--only take on the practices with multiple :fire: icons if you have the space to spend time as an organization absorbing training overhead and work flow transformation.
 
 ## Legend
 
@@ -33,12 +35,12 @@ Be especially aware of the :fire: rating as it indicated disruption so only take
 This check mark icon flags places for you to record actions you have taken. Cross them off or circle them as you go.
 
 ## :rocket:  
-This rocket icon represents the amount of technology management overhead required to implementation the item, in terms of the attention of technology responsible and leadership staff inside an organization. One star items should be doable by most technology capable organizations that achievs other basic technology competency. Items with two stars may require additional time carved out beyond what regular operations demand, as they possibly require some outside assistance and work flow shifts. Three stars will require significant organizational commitment of resources to manage the project of implementing the recommendation, for support of renewed work flows, and to interface with technical assistance. Items with four stars are only for organizations ready to take on advanced security practices, including a part-to-full time dedicated project manager as well as the ongoing commitment of human and other resources needed for process management, technical configuration, training, and ongoing support.
+This rocket icon represents the amount of technology management overhead required to implementation the item, in terms of the attention of leadership and technology-responsible staff inside an organization. One-rocket items should be doable by most technology capable organizations that have achieved other basic technology competency. Items with two rockets may require additional time carved out beyond what regular operations demand, as they possibly require some outside assistance and work flow shifts. Three rockets will require significant organizational commitment of resources to manage the project of implementing the recommendation, for support of renewed work flows, and to interface with technical assistance. Items with four rockets are only for organizations ready to take on advanced security practices, including a part-to-full-time dedicated project manager as well as the ongoing commitment of human and other resources needed for process management, technical configuration, training, and ongoing support.
 
 ## :wrench:    
-This wrench icon represents the amount of technical skill needed to undertake the practice. One set of tools means most skilled computer users can do, or be trained to do, the task. Two wrenches require “power user” technical skills, often found in the “Accidental Techie” on staff. Three wrenches will require a person experienced in technical support or systems administration to do the work. Four wrenches means you will need a technical support person or internal staffer with significant skills in networking or security to undertake the practice.
+This wrench icon represents the amount of technical skill needed to undertake the practice. One wrench means most skilled computer users can do, or be trained to do, the task. Two wrenches require “power user” technical skills, often found in the “Accidental Techie” on staff. Three wrenches will require a person experienced in technical support or systems administration to do the work. Four wrenches means you will need a technical support person or internal staffer with significant skills in networking or security to undertake the practice.
 
 ## :fire:  
-This flame icon represents the amount of work flow disruption taking on this task entails, and consequently how much staff time for documentation, training and work shifts is required. One flame items will be mostly innocuous and staff can be trained in a brief session. Two flames means the practice will require more training and can disrupt existing work flows dramatically. Three flames signals that significant work flow shifts and training will be required to undertake the practice. Four flames means the task will disrupt work flow completely and is only for organizations where security is of far greater importance than efficiency or convenience.
+This fire icon represents the amount of work flow disruption taking on this task entails, and consequently how much staff time for documentation, training, and practice to achieve work flow shifts is required. One-flame items will be mostly innocuous and staff can be trained in a brief session. Two flames means the practice will require more training and can disrupt existing work flows. Three flames signals that significant work flow shifts and training will be required to undertake the practice. Four flames means the task will disrupt work flow completely and is only for organizations where security is of far greater importance than efficiency or convenience.
 
-***Although these practices are highly recommended they do not in and of themselves constitute a successful security practice. Information security is an ongoing process of managing risk and no list of procedures is an adequate replacement for a thorough review of what information you are protecting, why and from whom paired with an organizational commitment to shifting operations to mitigate risk. Information Ecology, RoadMap Consulting and Common Counsel are not liable for negative outcomes associated with following these practices.***
+***Although these practices are highly recommended, they do not in and of themselves constitute a successful security practice. Information security is an ongoing process of managing risk and no list of procedures is an adequate replacement for a thorough review of what information you are protecting, why, and from whom, paired with an organizational commitment to shifting operations to mitigate risk. Information Ecology, RoadMap Consulting, and Common Counsel are not liable for negative outcomes associated with following these practices.***
diff --git a/4_device_security_checklist.md b/4_device_security_checklist.md
index b67e921b1772976546105dc00034d17b9c03f904..7a8491f5953638073ccdfef9ffcde1ba276d5729 100644
--- a/4_device_security_checklist.md
+++ b/4_device_security_checklist.md
@@ -2,105 +2,112 @@
 document set: DRAFT DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
 title: Device Security Checklist
 author: Jonah Silas Sheridan, Lisa Jervis for Information Ecology
-last modified: 10/24/2017
-version: "2.0 DRAFT, NOT PEER REVIEWED"
+last modified: 10/26/2017
+version: "2.0 DRAFT, PEER REVIEWED"
 ---
 
 # Device Security Checklist
+
 ## Introduction
 
-*This checklist comes from the Weathering the Storms toolkit, which contains wraparound documentation including an introduction, frequently asked questions, and a glossary where you can look up any terms that are unfamiliar to you. This is a community-driven document set with the latest version always at https://ecl.gy/sec-check. We welcome your feedback via RoadMap, or our contact form at https://iecology.org/contact/.*
+*This checklist comes from the Weathering the Storms toolkit, which contains wraparound documentation including an [introduction](1_checklist_introduction.md), [frequently asked questions](C_FAQ.md), and a [glossary](A_glossary.md) where you can look up any terms that are unfamiliar to you. This is a community-driven document set with the latest version always at [https://ecl.gy/sec-check](https://ecl.gy/sec-check). We welcome your feedback via RoadMap, or our contact form at [https://iecology.org/contact/](https://iecology.org/contact/).*
 
-Securing your devices or "endpoints" (meaning that they are one end of all connections you make to a website, online service or other person's device) is a cornerstone of digital security. In general, security trainers and practitioners -- and the documents and manuals they use -- operate from an assumption that your devices are secure from intrusion and not running any malicious software. This is important because anyone who can control your devices can see and control all the same information you can, and so any protections of that information as it travels across internal networks or the open Internet become irrelevant.
+Securing your devices or "endpoints" (meaning that they are one end of all connections you make to a website, online service, or other person's device) is a cornerstone of digital security. In general, security trainers and practitioners--and the documents and manuals they use--operate from an assumption that your devices are secure from intrusion and not running any malicious software. This is important because anyone who can control your devices can see and control all the same information you can, and so any protections of that information as it travels across internal networks or the open Internet become irrelevant.
 
 Unfortunately, in practice, it is not a reasonable assumption in the operating reality of many non-profits and activists that our devices are not compromised. Especially with the increased use of encryption technologies to secure communications and other sensitive information as it moves over the network, attacks on hardware in devices themselves and, more commonly, the software running on them has become a more attractive strategy for obtaining or altering data. These factors combined mean that putting time and effort into securing your devices is a critical task for securing your organization and ensuring that any further steps you take to improve your security are meaningful.
 
-This checklist provides a number of practices that can help you protect your devices from being vulnerable to  threats to the confidentiality, availability, or integrity of the information stored on them or on the networks they connect to. By educating your staff about the importance of device protection, training and supporting staff in implementing these practices, and making them part of your organization's onboarding processes and technology policies, you can increase security for individual staff and the organization as a whole. Furthermore, you can better trust that any other secure systems or services your organization adopts are protecting you as expected.
+This checklist provides a number of practices that can help you protect your devices from being vulnerable to  threats to the confidentiality, availability, or integrity of the information stored on them or on the networks they connect to. By educating your staff about the importance of device protection, training and supporting staff in implementing these practices, and making device security part of your organization's onboarding processes and technology policies, you can increase security for individual staff and the organization as a whole. Furthermore, you can better trust that any other secure systems or services your organization adopts are protecting you as expected.
 
 The recommendations on this checklist:
 
 * Are meant to be applicable to computers, mobile phones, and tablets except where otherwise indicated.
 
-* Do not constitute a complete set of device endpoint protection activities and are especially ill-suited for protecting you from targeted attacks by well-resourced and persistent organizations or entities.
+* Do not constitute a complete set of endpoint device protection activities and are especially ill-suited for protecting you from targeted attacks by well-resourced and persistent organizations or entities.
 
-* Will not fully protect you from the consequences of losing physical control of your device, including situations where a technically capable group has physical access to your device such as may happen at an international border, if you are arrested or detained, or if your device is stolen. If your threat model includes these sorts of concerns, contact a digital security professional to help you build systems that will remain resilient in your specific context.
+* Will not fully protect you from the consequences of losing physical control of your device, especially situations where a technically capable group has physical access to your device such as may happen at an international border, if you are arrested or detained, or if your device is stolen. If your threat model includes these sorts of concerns, contact a digital security professional to help you build systems that will remain resilient in your specific context.
 
 ## Key
+
 :heavy_check_mark: Record actions  
-:rocket: Implementation management overhead rating   
+:rocket: Implementation management overhead   
 :wrench: Technical skill level required
 :fire: Work flow disruption for staff
 
 ## General Device Security Tasks for Computers, Mobile Phones, and Tablets
+
 :heavy_check_mark:     **Keep your devices in your control, always.**
 :rocket::wrench::fire::fire::fire:
-*The easiest way to attack someone's devices is to gain physical control of them. Consequently, the most important practice you can follow to protect them is to keep them in your control at all times. This means that you know where they are and can ensure that nobody is accessing them without your permission. When working in a public place, don't leave any device alone even for a couple of minutes. Aways take your phone with you, and do the same for a laptop. If you have to leave a device someplace, ask someone you trust (not the stranger at the next table!) to supervise it for you to ensure nobody tries to login or insert any devices into it. This can be inconvenient but ensures nobody can surreptitiously install software on or hardware in your device without your knowledge.
-Note: There is a difference between keeping a device safe from criminals and in your control. For example, keeping your devices in your locked office building may keep them “safe from criminals” but does leave them accessible to any cleaners who come after hours. Even a hotel room safe can be accessed by the hotel staff. It is impractical to keep your device on your persons as all times. (Devices become quite unreliable after being taken into the shower.) So, you should focus on reasonable controls to prevent bad actors from having physical access to your devices. Keeping your device at your home if it is properly secured, or locked in a drawer at night, can provide you a level of security that will force your adversaries to take more extreme means in order to compromise your devices.
+*The easiest way to attack someone's devices is to gain physical control of them. Consequently, the most important practice you can follow to protect them is to keep them in your control at all times. This means that you know where they are and can ensure that nobody is accessing them without your permission. When working in a public place, don't leave any device alone even for a couple of minutes. Aways take your phone with you, and do the same for a laptop. If you have to leave a device someplace, ask someone you trust (not the stranger at the next table!) to supervise it for you to ensure nobody tries to log in or insert any devices into it. This can be inconvenient but ensures nobody can surreptitiously install software on or hardware in your device without your knowledge.
+Note: There is a difference between keeping a device safe from theft and in your control. For example, keeping your devices in your locked office building may keep them safe from theft but does leave them accessible to any cleaners who come after hours. Even a hotel room safe can be accessed by the hotel staff. It is impractical to keep your device on your person as all times. (Devices become quite unreliable after being taken into the shower.) So, you should focus on reasonable controls to prevent bad actors from having physical access to your devices. Keeping your device at your home if it is properly secured, or locked in a drawer at night, can provide you a level of security that will force your adversaries to take more extreme means in order to compromise your devices.*
 
 
 :heavy_check_mark:     **Run the updating tool for your operating system and applications whenever updates are available and/or set updates to run automatically.**
 :rocket::wrench::fire::fire:
 *The operating system is the most basic software a device can run, and every other program or application depends on it. Operating systems are often tied to specific hardware; major examples include Microsoft Windows, Apple's OSX (for computers) and iOS (for iPhones and iPads), Android, ChromeOS (for Chromebooks), and Linux.
 Nearly every update for operating systems and/or software also include security fixes. When updates become public, the vulnerabilities that they address become known by any bad actors who are looking for ways to exploit other people's systems. From the moment an update is released you are at increasing risk of a bad actor using the vulnerabilities in that update against you until the moment you install that update.  Setting updates to run automatically will help, but you should still manually start the update process if you learn of a specific security issue with any of your software. If you don't want to run updates automatically, you should run your update process promptly when alerted that updates are available. Note that you may need to restart your device for many updates to take effect, so allowing your device to restart after an update is required for the update to provide protection.
+
 If you have specific software requirements or custom software created for your organization, automatic updates can cause work disruption, as some OS updates may be incompatible with existing software. Therefore, operationalizing this recommendation must be coordinated with your IT team or tech support provider.*
 
 :heavy_check_mark:     **Use built-in full disk encryption on your devices and shut them down when they are not in use or are at risk of loss.**
 :rocket::wrench::fire::fire:
-*Full disk encryption means that the contents of a disk, usually the storage inside your device -- which contains the operating system, programs you have installed, and your organizational data -- are scrambled so that they cannot be easily accessed when the device is off. Without this feature, someone who steals your device, finds your lost device, or otherwise accesses your hardware can easily read your files and possibly impersonate you to your systems.
+*Full disk encryption means that the contents of a disk, usually the storage inside your device--which contains the operating system, programs you have installed, and your organizational data--are scrambled so that they cannot be easily accessed when the device is off. Without this feature, someone who steals your device, finds your lost device, or otherwise accesses your hardware can easily read your files and possibly impersonate you to your systems.
+
+Although full disk encryption is enabled by default on some mobile devices, it must be manually set up on all laptop and desktop computers, and many phones and tablets. The full disk encryption feature is called Bitlocker on Windows (setup instructions and [licensing requirements](https://en.wikipedia.org/wiki/BitLocker#Availability) (https://en.wikipedia.org/wiki/BitLocker#Availability) vary depending on Windows version and hardware details), Filevault on OSX (find this under System Preferences>Security & Privacy), and LUKS on Linux (setup instructions depend on your distribution). On mobile devices running Android 5.0 and later, you can turn on this feature in the Security section of Settings menu. On iOS 7 and earlier, you can turn this on in the Passcode section of the General settings. Chromebooks and devices running iOS 8 or later have full disk encryption enabled by default. For advanced users, an open source encryption tool called VeraCrypt can also provide full disk encryption to Windows, OSX, and Linux computers as well as offering other advanced features; it can be found at[https://www.veracrypt.fr/en/Home.html](https://www.veracrypt.fr/en/Home.html).* __This recommendation is not effective unless is it coupled with the practices described in the next item, regarding device authentication and locking, to make sure the encryption cannot be easily bypassed when the computer is running.__
 
-Although full disk encryption is enabled by default on some mobile devices, it must be manually set up on all laptop and desktop computers, and many phones and tablets. The full disk encryption feature is called Bitlocker on Windows (setup instructions and [licensing requirements](https://en.wikipedia.org/wiki/BitLocker#Availability) vary depending on Windows version and hardware details), Filevault on OSX (find this under System Preferences>Security & Privacy), and LUKS on Linux (setup instructions depend on your distribution). On mobile devices running Android 5.0 and later, you can turn on this feature in the Security section of Settings menu. On iOS 7 and earlier, you can turn this on in the Passcode section of the General settings. Chromebooks and devices running iOS 8 or later have full disk encryption enabled by default. For advanced users, an open source encryption tool called VeraCrypt can also provide full disk encryption to Windows, OSX, and Linux computers as well as offering other advanced features and can be found at https://www.veracrypt.fr/en/Home.html.* __This recommendation is not effective unless is it coupled with the practices described in the next item, regarding device authentication and locking, to make sure the encryption cannot be easily bypassed when the computer is running.__
-*Full disk encryption only provides protection when your computer is turned off or turned on but awaiting a password to start up. Once you have logged in, the computer has the secret key needed for decrypting your data in its memory (so you can work!) and so even with the screen locked there is some risk of someone obtaining access to the contents of your computer while it is running or even hibernating. However in general surmounting those controls is a highly technical attack and that risk shouldn't stop you from keeping your computer turned on or logged in when you need to work. It is, however, best to to turn off your devices whenever your device will be away from you in a hostile environment.*
-*It is important to know that full disk encryption requires your device to do complex math, so turning on this feature will use processing power and may even make the oldest devices (5 years only or greater, likely) unreasonably slow to use. Full disk encryption can also increase the risk of you losing access to some of your information if robust password or PIN management practices are not in place. A lost password or PIN as well as failure of the part of the disk where the encryption keys are stored will generally mean you (as well as anyone else) cannot recover your data. Ensure you use syncing services and/or have regular backups of your data to minimize the risk of data loss. It is critical to secure any sync'ed or backed up copies of your data and the servers they are stored on. Full disk encryption can also be used on an external hard drive or USB sticks you use for backups using the same built in tools mentioned above or by using VeraCrypt.*
+*Full disk encryption provides protection only when your computer is turned off, or turned on but awaiting a password to start up. Once you have logged in, the computer has the secret key needed for decrypting your data in its memory (so you can work!) and so even with the screen locked there is some risk of someone obtaining access to the contents of your computer while it is running or even sleeping. However, in general, surmounting those controls is a highly technical attack and that risk shouldn't stop you from keeping your computer turned on or logged in when you need to work. It is, however, best to to turn off your devices whenever your device will be away from you in a hostile environment.*
+
+*It is important to know that full disk encryption requires your device to do complex math, so turning on this feature will use processing power and may even make the oldest devices (around 5 or more years old) unreasonably slow to use. Full disk encryption can also increase the risk of you losing access to some of your information if robust password- or PIN-management practices are not in place. A lost password or PIN as well as failure of the part of the disk where the encryption keys are stored will generally mean you (as well as anyone else) cannot recover your data. Ensure that you use syncing services and/or have regular backups of your data to minimize the risk of data loss. (Note that it is also critical to secure any synced or backed up copies of your data and the servers they are stored on.) Full disk encryption can also be used on external hard drives or USB sticks you use for backups using the same built-in tools mentioned above or by using VeraCrypt.*
 
 :heavy_check_mark:     **Use a strong password or long PIN code on all your devices, set your devices to lock themselves after a short period, and manually lock any device if walking away from it. Be aware of your surroundings when entering your password or PIN to ensure no one is watching and your movements aren't being recorded on camera.**
 :rocket::wrench::fire::fire::fire:
-*Always set up a long (8 numbers or more) PIN code or complex password to log in to any device -- computer, phone, and tablet -- to ensure that a lost or stolen device is inaccessible through its screen and the hardware remains encrypted. Use the screen timeout feature of your device and require your password or PIN to wake it back up to ensure that your information and your accounts are protected even if the device is found while turned on. The shorter the screen timeout period, the shorter the amount of time your device is vulnerable -- so choose as short a time as you can while still being able to do your work. If stepping away from a device, manually lock the screen. Nearly every computer operating system has a keyboard shortcut or other quick way to lock a device (look it up in the relevant documentation or ask your technical support provider). Be aware when entering a PIN or password in public spaces to be sure nobody malicious is watching and that your keystrokes are not being recorded on camera. For mobile devices, biometric unlocking mechanisms (for example, fingerprints or facial recognition), swipe patterns, and other locking mechanisms are becoming more common, and are generally easier to use than complex passwords and long PINs. However, they can be more easily bypassed by, for example, grabbing your wrist and forcing your thumb into the button, holding your phone up to your face, or looking at the pattern of skin oils on your screen to see a swipe pattern. For these reasons they are not recommended. This may change as implementations improve.*
+*Always set up a long (8 numbers or more) PIN code or complex password (longer than 12 characters and including a mix of two or three different types of characters (e.g., symbols, numbers, and both upper- and lowercase letters)) to log in to any device--computer, phone, or tablet. This ensures that a lost or stolen device is inaccessible through its screen and the hardware remains encrypted. Use the screen timeout feature of your device and require your password or PIN to wake it back up to ensure that your information and your accounts are protected even if the device is found while turned on. The shorter the screen timeout period, the shorter the amount of time your device is vulnerable--so choose as short a time as you can while still being able to do your work. If stepping away from a device, manually lock the screen. Nearly every computer operating system has a keyboard shortcut or other quick way to lock a device (look it up in the relevant documentation or ask your technical support provider). Be aware when entering a PIN or password in public spaces to be sure nobody malicious is watching and that your keystrokes are not being recorded on camera. For mobile devices, biometric unlocking mechanisms (for example, fingerprints or facial recognition), swipe patterns, and other locking mechanisms are becoming more common, and are generally easier to use than complex passwords and long PINs. However, they can be more easily bypassed by, for example, grabbing your wrist and forcing your thumb into the button, holding your phone up to your face, or looking at the pattern of skin oils on your screen to see a swipe pattern. For these reasons they are not recommended. This may change as implementations improve.*
 
-:heavy_check_mark:     **Turn off the built-in file sharing functionality on your computer or device.**  
+:heavy_check_mark:     **Turn off the built-in file sharing functionality on your device.**  
 :rocket::wrench::fire::fire:  
-*Although handy for sharing files with peers, the built-in file sharing functionality on your computer is vulnerable to abuse or accidental information leakage, especially on simple networks like one finds in cafés or on airplanes, which don't provide host isolation (the lack of host isolation means that any device using the wireless can connect to any other device). It is preferable to set up alternate tools and practices for sharing files, such as a central file repository in your office or a cloud file service.*
+*Although handy for sharing files with peers, the built-in file sharing functionality on your device is vulnerable to abuse or accidental information leakage, especially on simple networks like one finds in cafés or on airplanes, which don't provide host isolation (the lack of host isolation means that any device using the wireless can connect to any other device). It is preferable to set up alternate tools and practices for sharing files, such as a central file repository in your office or a an Internet-based file service.*
 
-*To turn off file sharing on a Mac, go to Apple menu \> System Preferences, then click Sharing and make sure all the boxes are unchecked. Also disable AirDrop on your computer by going to the Finder, and choosing AirDrop under the Go menu. When the window comes up, you will see the phrase "Allow me to be discovered by" with a dropdown menu for completion. Choose "No One" from this dropdown. On an iOS device, select “Receiving Off” in the Control Center’s AirDrop settings. See [this article]("https://support.microsoft.com/en-us/kb/307874") for turning off file sharing on a Windows computer.*
+*To turn off file sharing on a Mac, go to Apple menu\>System Preferences, then click Sharing and make sure all the boxes are unchecked. Also disable AirDrop on your computer by going to the Finder, and choosing AirDrop under the Go menu. When the window comes up, you will see the phrase "Allow me to be discovered by" with a dropdown menu for completion. Choose "No One" from this dropdown. On an iOS device, select “Receiving Off” in the Control Center’s AirDrop settings. See [this article](https://support.microsoft.com/en-us/kb/307874) (https://support.microsoft.com/en-us/kb/307874) for turning off file sharing on a Windows computer.*
 
 *Recognize that if you are currently using any built-in file sharing functionality to share files inside an office, doing this will disrupt current work practices.*
 
-:heavy_check_mark:     **Run antivirus, anti-malware, and ad blocking software on your devices.**
+:heavy_check_mark:     **Run antivirus, anti-malware, and ad-blocking software on your devices.**
 :rocket::wrench::wrench::wrench::fire::fire:
-*Antivirus and anti-malware software are programs that scan all files coming in or going out for files that are known to infect, steal data from, or otherwise abuse your device or data without your consent. While these tools work only against software already created, identified, and added to the software's lists of what to scan for, a large proportion of intrusions rely on these well-known threats. However, these types of software by their very nature must have access to all of the files on your computer, and so can themselves be a vector of intrusion. For this reason, you are best off with software made by a well-known manufacturer and vetted by your technical support provider. Never trust "free" or "no-cost" software promising to scan for viruses and malware, especially those that appear in pop-up advertisements in your web browser or on your device, as they often carry viruses themselves. TechSoup offers low-cost [Symantec](http://www.techsoup.org/symantec-catalog) and [Bitdefender](http://www.techsoup.org/bitdefender) antivirus software to most non-profit organizations. Both are available for Mac, Windows and Linux devices, but Bitdefender is also available for Android as well.
+*Antivirus and anti-malware software are programs that scan all files coming in or going out for files that are known to infect, steal data from, or otherwise abuse your device or data without your consent. While these tools work only against software already created, identified, and added to the software's lists of what to scan for, a large proportion of intrusions rely on these well-known threats. However, these types of software by their very nature must have access to all of the files on your computer, and so can themselves be a vector of intrusion. For this reason, you are best off with software made by a well-known manufacturer and vetted by your technical support provider. Never trust "free" or "no-cost" software promising to scan for viruses and malware, especially those that appear in pop-up advertisements in your web browser or on your device, as they often carry viruses themselves. TechSoup offers low-cost [Symantec](http://www.techsoup.org/symantec-catalog) (http://www.techsoup.org/symantec-catalog) and [Bitdefender](http://www.techsoup.org/bitdefender) (http://www.techsoup.org/bitdefender) antivirus software to most non-profit organizations. Both are available for Mac, Windows and Linux devices, but Bitdefender is also available for Android as well.
+
 Note that the work of scanning for viruses and malware takes power from your device's processor, often a significant amount, so if it is already slow this may make your device unusable at times.
-Ad-blocking software will keep advertisements from loading on your web browser or device. Because of the complexity of modern ads, they can be vectors of attack, so you are safer blocking them entirely. Furthermore, removing advertisements should also improve your device's performance since it won't use your network connection to load, or use your processor to run, all of that often fancy (and insecure) content. However, ad-blocking software suffers from the same problems as antivirus software, and there are many that actually track you or inject other advertisements. uBlock Origin is a well-respected open source ad blocker that is available for Chrome, Firefox (including on Android), Safari, and Microsoft Edge. It can be downloaded from https://github.com/gorhill/uBlock/* ***Note that there is another ad blocker called just uBlock or μBlock that uses a similar logo as uBlock origin but is not recommended.***
+Ad-blocking software will keep advertisements from loading on your web browser or device. Because of the complexity of modern ads, they can be vectors of attack, so you are safer blocking them entirely. Furthermore, removing advertisements should also improve your device's performance since it won't use your network connection to load, or use your processor to run, all of that often fancy (and insecure) content. However, ad-blocking software suffers from the same problems as antivirus software, and there are many that actually track you or inject other advertisements. uBlock Origin is a well-respected open source ad blocker that is available for Chrome, Firefox (including on Android), Safari, and Microsoft Edge. It can be downloaded from [https://github.com/gorhill/uBlock/](https://github.com/gorhill/uBlock/).* ***Note that there is another ad blocker called just uBlock or μBlock that uses a similar logo as uBlock origin but is not recommended.***
 
 :heavy_check_mark:     **Install the HTTPS Everywhere extension on all of the web browsers you use.**  
 :rocket::wrench::fire:  
-
-*The "s" in HTTPS stands for "secure," and when you see "https://" rather than "http://" in your browser's address bar, it means that are securely connected to the site you are visiting: The information being sent back and forth between your browser and the site's server is encrypted and so cannot be seen by others on the wireless network or the operator of the network itself. The browser extension HTTPS Everywhere forces your browser to connect using HTTPS instead of HTTP to any site that makes an HTTPS connection available, thus increasing the proportion of your traffic that cannot be viewed or altered by others on your network. You can install that plugin from [this page]("https://www.eff.org/HTTPS-EVERYWHERE").*
+*The "s" in HTTPS stands for "secure," and when you see "https://" rather than "http://" in your browser's address bar, it means that you are securely connected to the site you are visiting: The information being sent back and forth between your browser and the site's server is encrypted and so cannot be seen by others on the wireless network or the operator of the network itself. The browser extension HTTPS Everywhere forces your browser to connect using HTTPS instead of HTTP to any site that makes an HTTPS connection available, thus increasing the proportion of your traffic that cannot be viewed or altered by others on your network. You can install that plugin from [https://www.eff.org/HTTPS-EVERYWHERE](https://www.eff.org/HTTPS-EVERYWHERE).*
 
 :heavy_check_mark:     **Be exceptionally careful about what software you install on your devices.**
 :rocket::rocket::wrench::wrench::fire::fire::fire:
-*The proliferation of mobile apps, browser extensions and other "free" (as in zero-cost, not open source) programs has caused numerous security problems. Avoid software that hasn't been created by a company you already have a trust relationship with (i.e., any company whose tools you are already using at your organization). Software that appears to have good intentions (like antivirus scanning) or even beneficial features may be masking malicious activities in the background. In most browsers and mobile devices, an application will ask for certain permissions at installation -- the information and hardware it can access on your device. These are worth looking at to make sure they at least vaguely reflect what is expected. For example, if a flashlight app asks for permissions to your contacts or to make phone calls, you probably don't want to install it. Permissions to be especially cautious around granting include access to your calls, contacts, camera, microphone, location services or entire storage.
+*The proliferation of mobile apps, browser extensions and other free (as in zero-cost, not open source) programs has caused numerous security problems. Avoid software that hasn't been created by a company you already have a trust relationship with (i.e., any company whose tools you are already using at your organization). Software that appears to have good intentions (like antivirus scanning) or beneficial features may be masking malicious activities in the background. In most browsers and mobile devices, an application will ask for certain permissions at installation--the information and hardware it can access on your device. These are worth looking at to make sure they at least vaguely reflect what is expected. For example, if a flashlight app asks for permissions to your contacts or to make phone calls, you probably don't want to install it. Permissions to be especially cautious around granting include access to your calls, contacts, camera, microphone, location services, or entire storage.
 
-The way to look at permissions after installation depends on the context. In Chrome, go to chrome://extensions/ and click the permissions link for each one. On iOS devices, under Settings is a list of all permissions; under each permission is the list of apps that use it. On Android devices, go to Settings>Application Manager to view a list of apps; under each app is the list of permissions it uses.
+The way to look at permissions after installation depends on the context. In Chrome, go to chrome://extensions/ and click the permissions link for each one. On iOS devices, under Settings is a list of all permissions; under each permission is the list of apps that use it. On Android devices, go to Settings\>Application Manager to view a list of apps; under each app is the list of permissions it uses.
 
-Unfortunately most software installation systems on laptops and desktop computers will not ask for permission to access resources so you should be extra careful about installation of software not from a mobile, browser or OS app store.*
+Unfortunately most software installation systems on laptops and desktop computers will not ask for permission to access resources, so you should be extra careful about installation of software not from a mobile, browser or OS app store.*
 
 ## Laptop and Desktop Computer Security Tasks
 
 :heavy_check_mark:      **Add a privacy filter to your computer's screen.**
 :rocket::wrench::fire::fire:
-*One of the easiest ways to accidentally leak information is for someone in a public place to see it on your screen. Purchasing and installing privacy filters (basically, a piece of plastic that allows what is on your computer to be seen only by the person sitting right in front of it), especially if you work frequently in libraries, cafés, coworking spaces, airports, and/or airplanes, will protect you from this threat. Be aware that if you frequently share information by showing your actual laptop screen to others (as opposed to connecting your laptop to a projector or other display), you will want to ensure that any filter you purchase has an attachment option designed to enable easy temporary removal.*
+*One of the easiest ways to accidentally leak information is for someone in a public place to see it on your screen. Purchasing and installing privacy filters (basically, a piece of plastic that allows what is on your computer to be seen only by the person sitting right in front of it), especially if you work frequently in libraries, cafés, coworking spaces, airports, and/or airplanes, will protect you from this threat. Be aware that if you frequently share information by showing your actual laptop screen to others (as opposed to by connecting your laptop to a projector or other display), you will want to ensure that any filter you purchase has an attachment option designed to enable easy temporary removal.*
 
 :heavy_check_mark:     **Carefully source your USB and memory card devices, only plugging trusted and personally sourced ones into your computer.**
-:rocket::wrench::wrench::fire::fire::fire: <what is our max # of icons? one reviewer suggests adding another for this>
-*Don't plug other people's USB devices and memory cards such as flash drives, hard drives and phones into your computer, or any such devices that came to you in anything besides verifiable original packaging. This recommendation is especially important with regard to devices from unknown or untrusted sources (leaving USB sticks around an office is a classic intrusion technique), but it also applies devices owned by trusted people, as trusting a person is not the same as trusting all the devices they use, the software they run or the other  devices they have plugged their USB device into into. USB and memory card devices can silently infect your computer in ways that are very hard to detect.*
-*While never plugging USB devices into your computer is ideal, it is not always possible to do so. If you have to plug something into a computer, make sure that computer is running antivirus software that is up to date, and consider logging into a guest account that doesn't have access to your files or systems and then passing the files on it through an additional virus scan before opening or using. Certain cloud services, including Google Drive and Box (but not Dropbox) automatically scan uploaded files (under 25MB for Google Drive) for viruses and will alert you if your files are infected so you can use that as an additional layer of protection. However, there is still risk associated with USB devices and after using a USB device you don't trust, be on the look out for odd behavior such as error messages, extra network traffic or rapid battery usage and report any of those things immediately.*
+:rocket::wrench::wrench::fire::fire::fire:
+*Don't plug other people's USB devices and memory cards such as flash drives, hard drives, and phones into your computer, or any such devices that came to you in anything other than verifiable original packaging. This recommendation is especially important with regard to devices from unknown or untrusted sources (leaving USB sticks around an office is a classic intrusion technique), but it also applies devices owned by trusted people, as trusting a person is not the same as trusting all the devices they use, the software they run, or the other  devices they have plugged their USB device into into. USB and memory card devices can silently infect your computer in ways that are very hard to detect.*
+
+*While never plugging USB devices into your computer is ideal, it is not always possible to do so. If you have to plug something into your computer, make sure that computer is running antivirus software that is up to date, and consider logging into a guest account that doesn't have access to your files or systems and then passing the files on it through an additional virus scan before opening or using. Certain Internet-based services, including Google Drive and Box (but not Dropbox) automatically scan uploaded files (under 25MB for Google Drive) for viruses and will alert you if your files are infected, so you can use that as an additional layer of protection. However, there is still risk associated with USB devices and after using a USB device you don't trust, be on the lookout for odd behavior such as error messages, extra network traffic, or rapid battery usage and report any of those things to your technical support provider immediately.*
 
 
 ## Mobile Phone and Tablet Security Tasks
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Don't click links sent to you by SMS or other text message, or through social media, especially from unknown parties.**
 :rocket::wrench::fire::fire:
-*There is rarely a reason to send links in this way, and yet we continue to see situations where mobile devices are compromised through incoming links sent by text messages or social media messaging. Note this includes not just the common SMS text message that works on all cellular networks even without a data connection, but by also messages from any application that allows someone who knows your phone number of username to send you a message. The link may display what looks like a legitimate page, or often a shortened link, but may have installed malicious software in the background. If you absolutely need to click a link sent in this way, verify with the sender by phone or video call that the link you see is what they sent you. (Of course, this is broadly true of all links sent to you on all devices and over any channels that accept messages from anyone, for example email or a comment form on a web page, so you should use caution in clicking those links as well.)*
+*There is rarely a reason to send links in this way, and yet we continue to see situations where mobile devices are compromised through incoming links sent by text messages or social media messaging. Note this includes not just the common SMS text messaging that works on all cellular networks even without a data connection, but by also messages from any application that allows someone who knows your phone number or username to send you a message. The link may display what looks like a legitimate page, or often a shortened link, but may have installed malicious software in the background. If you absolutely need to click a link sent in this way, verify with the sender by phone or video call that the link you see is what they sent you. (Of course, this is broadly true of all links sent to you on all devices and over any channels that accept messages from anyone, for example, email or a comment form on a web page, so you should use caution in clicking those links as well.)*
 
-:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Use either a charge-only cable or a "USB condom" device to charge your device from anything other than a wall charger or a computer that you know to be free of infection. Carry a backup battery to ensure you never have to charge your device from an untrusted source.**
+:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Use either a charge-only cable or what is known as a USB condom to charge your device from anything other than a wall charger or a computer that you know to be free of infection. Carry a backup battery to ensure you never have to charge your device from an untrusted source.**
 :rocket::wrench::wrench::fire::fire::fire:
-*Almost all modern professionals have been there: your mobile phone or tablet is dead and the only place to charge it a friend's laptop, an internet connected device, or a public computer. Unfortunately that computer or device can become a route for a virus or other malicious software to infect your device. For use in these situations, you can purchase a "USB condom" (which prevents a connection between the data pins in the unknown port and the USB cable and allows only the power pins to connect) or charge-only USB cable (which does not contain the wires that are used for data transfer in the first place). Either option will enable you to safely connect your device to any USB port you come across. Another option, which has the added advantage of being useful even if you can't find a random port, is to purchase and carry a USB-enabled backup battery so you can always charge your device on the go. Although it has been shown to be possible, there have been no reports of backup batteries spreading malware. However if charging from a suspicious charger or one from a stranger, you may wish again to use a USB condom or charge only cable to ensure that any software on the battery cannot affect your device.*
+*Almost all modern professionals have been there: your mobile phone or tablet is dead and the only place to charge it a friend's laptop, an internet connected device, or a public computer. Unfortunately that computer or device can become a route for a virus or other malicious software to infect your device. For use in these situations, you can purchase a USB condom (a device that goes in between the USB cable and the port you are plugging into and prevents a connection between the data pins in the unknown port and the USB cable, allowing only the power pins to connect) or charge-only USB cable (which does not contain the wires that are used for data transfer in the first place). Either option will enable you to safely connect your device to any USB port you come across. Another option, which has the added advantage of being useful even if you can't find a random port, is to purchase and carry a USB-enabled backup battery so you can always charge your device on the go. Although it has been shown to be possible, there have been no reports of backup batteries spreading malware. However, if charging from an unknown, you may want to use a USB condom or charge-only cable the way you would with an untrusted port to ensure that any software on the battery cannot affect your device.*
diff --git a/5_authentication_checklist.md b/5_authentication_checklist.md
index 5b92a6cfbc6e43d296ca3cc23af15f8115af7470..4e5723eab8493fe63ec2a2f52cf7d36bf93f63ef 100644
--- a/5_authentication_checklist.md
+++ b/5_authentication_checklist.md
@@ -2,85 +2,86 @@
 document set: DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
 title: Password and Authentication Safety Checklist
 author: Jonah Silas Sheridan, Lisa Jervis
-version: "2.0, DRAFT NOT FOR FOR PUBLIC USE"
-last modified: 10/11/17
+version: "2.0, PEER REVIEWED"
+last modified: 10/27/17
 ---
 
 # Password and Authentication Safety Checklist
 
 ## Introduction
 
-*This checklist comes from the Weathering the Storms toolkit, which contains wraparound documentation including an introduction, frequently asked questions, and a glossary where you can look up any terms that are unfamiliar to you. This is a community-driven document set with the latest version always at https://ecl.gy/sec-check. We welcome your feedback via RoadMap, or our contact form at https://iecology.org/contact/.*
+*This checklist comes from the Weathering the Storms toolkit, which contains wraparound documentation including an [introduction](1_checklist_introduction.md), [frequently asked questions](C_FAQ.md), and a [glossary](A_glossary.md) where you can look up any terms that are unfamiliar to you. This is a community-driven document set with the latest version always at [https://ecl.gy/sec-check](https://ecl.gy/sec-check). We welcome your feedback via RoadMap, or our contact form at [https://iecology.org/contact/](https://iecology.org/contact/).*
 
 This checklist provides a number of practices that can help you and your staff better curate your organization's passwords and control who accesses your information. While passwords are the most common form of authentication (that is, proving your identity to a computer system), other systems are emerging that offer better protection. Some are mentioned below.
 
-In the recommendations below, the term “organizational” is used to identify the group of accounts that grant access to your organization's online identity, backups, administrative controls and other critical systems. These tend to be used infrequently, but are very powerful. As such these passwords should be treated different from “everyday” credentials (the set of passwords that staff members need to perform their regular duties using databases, communication tools, and other platforms used for daily work).
+In the recommendations below, the term “organizational” is used to refer to the group of accounts that grant access to your organization's online identity, backups, administrative controls, and other critical systems. These tend to be used infrequently, but are very powerful. As such these passwords should be treated different from what we are calling “everyday” credentials (the set of passwords that staff members need to perform their regular duties with databases, communication tools, and other platforms used for daily work).
 
 ## Key
+
 :heavy_check_mark: Record actions  
-:rocket: Implementation management overhead rating   
+:rocket: Implementation management overhead   
 :wrench: Technical skill level required
 :fire: Work flow disruption for staff
 
 ## Password and Authentication Security
 
-:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Have all staff use password manager software**  
+:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Have all staff use password manager software.**  
 :rocket::rocket::wrench::wrench::fire::fire::fire:    
-*Since passwords can be used to both access to organizational information and disrupt your work in various ways, they are one of the most important pieces of information to protect from exposure. They should never be stored in spreadsheets, text files, or word processor documents (even password protected ones, as these are simple to break open); they should also not be saved to your browser's built-in password-saving feature.*
+*Since passwords can be used both to access organizational information and disrupt your work in various ways, they are one of the most important pieces of information to protect from exposure. They should never be stored in spreadsheets, text files, or word processing documents (even password-protected ones, as these are simple to break open); they should also not be saved to your browser's built-in password-saving feature.*
 
-*Instead, use dedicated password manager software. This type of software will store all of your passwords securely and support you in adopting many of the practices listed in the items below. To use it, you just remember a single password that opens up your secure file or account, which in turn stores all of your other passwords.*
+*Instead, use dedicated password manager software. This type of software will store all of your passwords securely and support you in adopting many of the practices listed in the items below. To use a password manager, you just remember a single password that opens up your secure file or account, which in turn stores all of your other passwords.*
 
-*There are two types of password managers: those that are web-based and those that store information locally on your hard drive. Local storage is more secure, as web browsers are insecure environments for password storage and handling. KeePass and KeePassX are two versions of a highly recommended local password manager. These two tools use the same encrypted file format and can run on most any computer. The excellent Security In a Box website has a [KeePass overview]("https://securityinabox.org/en/guide/keepass/windows").*
+*There are two types of password managers: those that are web-based and those that store information locally on your hard drive. Local storage is more secure, as web browsers are insecure environments for password storage and handling. KeePass and KeePassX are two versions of a highly recommended local password manager. These two tools use the same encrypted file format and can run on almost any computer. The excellent Security In a Box website has a [KeePass overview](https://securityinabox.org/en/guide/keepass/windows) (https://securityinabox.org/en/guide/keepass/windows).*
 
 *We realize that web-based password managers (such as LastPass and 1Password) are efficient and appealing because they provide access to passwords where they are most often used: in a web browser. And although evaluating online services and their current security claims is outside of the scope of this document, we acknowledge that online password management tools often have adequate security levels for many organizations' everyday password handling needs; however, the benefits do not outweigh the risks when storing rarely used core organizational passwords or other highly sensitive information. (See "Separate organizational and everyday passwords" below for more on this.)*
 
-:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Teach everyone in your organization to generate strong passwords and make sure they are used for all accounts, organizational and everyday**
+:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Teach everyone in your organization to generate strong passwords and make sure they are used for all accounts, both organizational and everyday.**
 :rocket::rocket::wrench::fire::fire:   
-*Strong passwords are generally longer than 12 characters and use a mix of two or three different types of characters (e.g., symbols, numbers, and both upper- and lowercase letters). Don't put uppercase letters, symbols, or digits specifically at only the beginning or end of your passwords; instead, mix them in throughout. Do not include any personal information like your favorite sports teams, places you have lived, your kids' or pets' names, important dates, or common phrases like song lyrics or poems. Don't use patterns like "123" or "xyz," especially ones that appear on a keyboard, or acronyms associated with your work or organization.*   
+*Strong passwords are generally 12 characters or longer and use a mix of two or three different types of characters (e.g., symbols, numbers, and both upper- and lowercase letters). Don't put uppercase letters, symbols, or digits specifically at only the beginning or end of your passwords; instead, mix them in throughout. Do not include any personal information like your favorite sports teams, places you have lived, your kids' or pets' names, important dates, or common phrases such as song lyrics or poems. Don't use patterns like "123" or "xyz," especially ones that appear on a keyboard, or acronyms associated with your work or organization.*   
 
-*There are many ways to generate strong passwords. There is a guide in [Security In a Box]("https://securityinabox.org/en/guide/passwords"), and most password managers will also make a random password for you, as will other available software for that specific purpose. [Diceware]("http://world.std.com/~reinhold/diceware.html") is a fun and effective scheme for creating random yet memorable passwords using everyday objects and a word list. One other great way to make a strong password is to come up with a silly sentence that no one’s ever said before and use the first letter or two of each word as your password, mixing in other types of characters.*
+*There are many ways to generate strong passwords. There is a guide in [Security In a Box](https://securityinabox.org/en/guide/passwords) (https://securityinabox.org/en/guide/passwords), and most password managers will also make a random password for you, as will other available software for that specific purpose. [Diceware](http://world.std.com/~reinhold/diceware.html) (http://world.std.com/~reinhold/diceware.html) is a fun and effective scheme for creating random yet memorable passwords using everyday objects and a word list. One other great way to make a strong password is to come up with a silly sentence that no one’s ever said before and use the first letter or two of each word as your password, mixing in other types of characters.*
 
-*It is important to apply strong passwords to all accounts, as access to a single account can often be leveraged into access to other systems. This is especially relevant for any email accounts that can be used to reset or recover other passwords (usually via a "Forgot Password" link) which should always have a strong password applied.*
+*It is important to apply strong passwords to all accounts, as access to a single account can often be leveraged into access to other systems. This is especially relevant for any email accounts that can be used to reset or recover other passwords (usually via a "forgot password" link).*
 
-:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Don't use the same password for more than one site or service**  
+:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Don't use the same password for more than one site or service.**  
 :rocket::wrench::fire::fire:   
-*Following this practice is a great way to minimize the risk of using third-party technology services. If you don't reuse passwords, someone learning your username and password for one service through a leak or break-in won't make it easy to access the other accounts you use. Use different passwords for each service so you aren't relying on the provider to protect your most important secret.*
+*Following this practice is a great way to minimize the risk of using third-party technology services. If you don't reuse passwords, someone learning your username and password for one service through a leak or break-in won't make it easy to access the other accounts you use. Use different passwords for each service so you aren't relying on the services you're logging into to protect your most important secret.*
 
-:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Try to limit hard-copy written password storage**  
+:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Try to limit hard-copy written password storage.**  
 :rocket::wrench::fire:  
-*Even when using a password manager, there are generally a few passwords you'll need to remember without it: the password to that password manager itself, of course, and probably at least one device password. It can be tempting -- and risky -- to keep these written down on paper. Instead, use techniques found in the Security In a Box online guide listed above to create memorable but strong passwords. If you initially need a written copy of your password, protect it physically by storing it someplace where it won't be lost or stolen and easily identified with you. Try to type your password with less looking at the copy each time, and destroy the paper copy when you have memorized the password.*
+*Even when using a password manager, there are generally a few passwords you'll need to remember without it: the password to the password manager itself, of course, and probably at least one device password. It can be tempting--and risky--to keep these written down on paper. Instead, use techniques found in the Security In a Box online guide listed above to create memorable but strong passwords. If you need a written copy of your password when you first start using it, protect it physically by storing it someplace where it won't be lost or stolen and easily identified with you. Try to type your password with less looking at the copy each time, and destroy the paper copy when you have memorized the password.*
 
-:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Do not tell anyone else your password(s), ever**  
+:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Do not tell anyone else your password(s), ever.**  
 :rocket::wrench::fire:
-*Even if someone claims to be from IT or technical support, do not give them your password. Nearly every system allows for administrative reset of passwords for maintenance. Any legitimate IT person can use this function instead of asking you. It also this creates an auditable trail of access to your account, and alerts you. You will need to change your password again after such admin access, but taking that an extra step will ensure that you and only you have access to your digital information, and that you can know who in your organization is responsible for what changes.*
+*Even if someone claims to be from IT or technical support, do not give them your password. Nearly every system allows for administrative reset of passwords for maintenance. Any legitimate IT person can use this function instead of asking you. This system also this creates an auditable trail of access to your account, and alerts you to a reset. You will need to change your password again after such admin access, but taking that extra step will ensure that you and only you have access to your digital information, and that you can know who in your organization is responsible for what changes to your account.*
 
-:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Consider making single-use passwords for sites you rarely use**  
+:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Consider making single-use passwords for sites you rarely use.**  
 :rocket::wrench::fire::fire:     
-*If you never store a password, you can never leak it and it can never get stolen from you. Most service providers allow you to reset a password by sending you an email. Creating and then immediately forgetting/not recording a long, random password is a good strategy when all of the following conditions are met: 1) The account is linked to an email address that you are sure you will control in the future, 2) the account is something you will not use frequently, and 3) you can absorb a potential delay in accessing the account if/when you need to.*
+*If you never store a password, you can never leak it and it can never get stolen from you. Most service providers allow you to reset a password by sending you an email. Creating and then immediately forgetting/not recording a long, random password is a good strategy when all of the following conditions are met: 1) The account is linked to an email address that you are sure you will control in the future, 2) the account is one you will not use frequently, and 3) you can absorb a potential delay in accessing the account if/when you need to.*
 
-*When using this method, the next time you need to log in to the account, you can hit the “forgot password" link and go through the system's password reset process. Recognize that the security of any account for which you use this single-use method becomes the same as the security for your linked email account (since you use that email account to get back into the service) -- so you need to ensure you have long term access to that email account by ensuring the domain will remain registered long term and that the account password is strong and stored carefully.*
+*When using this method, the next time you need to log in to the account, you can hit the “forgot password" link and go through the system's password reset process. Recognize that the security of any account for which you use this single-use method becomes the same as the security for your linked email account (since you use that email account to get back into the service)--so you need to ensure you have long-term access to that email account by ensuring that the domain remains registered in the long term and that the account password is strong and stored carefully.*
 
-:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Wherever available, and especially for critical accounts implement two-factor authentication using a method other than text messaging as your second factor.**  
+:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Wherever available, and especially for critical accounts, implement two-factor authentication using a method other than text messaging as your second factor.**  
 :rocket::rocket::wrench::wrench::fire::fire::fire:
 
-*Many service providers have begun to offer login systems that rely on more than one thing to identify a user, also called multi-factor authentication . There can be several items used for authentication, but usually there are just two; your password and another code or device you have.  Often this is a code generated by a program, such as Google Authenticator (which can be used with all sorts of accounts), that runs on your computer or phone or sent by text message. In this case we call it "two factor authentication" since there are two things, or "factors" you need to have.
+*Many service providers have begun to offer login systems that rely on more than one piece of information to identify a user, also called multi-factor authentication. There can be several items used for authentication, but usually there are just two: something you know (your password) and something else you have. In this case we call it "two factor authentication" since there are two things, or "factors." Often the second factor is a code sent by text message to your phone (not recommended--see below), but it can also be embedded on a special type of USB device, a program that generates codes on your phone, or even a piece of paper with preprinted codes.
 
-Two factor authentication adds a layer of protection to your accounts so that it is much harder to take them over. It will add an extra step to login to new or timed out devices for people to get used to, but is a strong way to protect important accounts against weak or leaked passwords. It is especially important to use two factor authentication on accounts that grant a lot of access to your devices or files. Such accounts include those that allow you to install software to devices (such as Apple IDs or Google Play accounts) or to reset passwords for other accounts (anything you use as "recovery email" with other services, for example).
+Two-factor authentication adds a layer of protection to your accounts so that it is much harder to take them over. It adds an extra step for people to get used to, but is a strong way to protect important accounts against weak or leaked passwords, as it protects from someone who obtains just the password from getting into the account. It is especially important to use two-factor authentication on accounts that grant a lot of access to your devices or files. Such accounts include those that allow you to push software installs to devices (such as Apple IDs or Google Play accounts) or to reset passwords for other accounts (any account you use as a recovery email for other services, for example).
 
 Be aware that cell phone-based authentication factors (whether via a text message or an app) require a working phone, so if adopting them you may wish to also provide staff with backup batteries to ensure they can always log in to their accounts even on days with heavy telephone use. In some cases, where login is only occasional, a piece of paper with preprinted backup codes may suffice, but then you need to protect that paper carefully.*
 
-*A newer and very strong second factor is a code embedded on a special type of USB device also known as a "Universal 2nd Factor" (U2F) such as a the Yubikey (https://www.yubico.com). Not having a dependency on a working phone or cell signal is one of many advantages of U2F devices, but as of the latest update to this document in the fall of 2017, there are still relatively few services that support such U2F capable devices. Major services your organization may use that support U2F keys include Dashlane, Dropbox, Facebook, Google and Salesforce. You can read more about U2F at https://www.yubico.com/solutions/fido-u2f/.*
+*A newer and very strong second factor is a code embedded on a special type of USB device also known as a "Universal 2nd Factor" (U2F) such as a the [Yubikey](https://www.yubico.com) (https://www.yubico.com). Not having a dependency on a working phone or cell signal is one of many advantages of U2F devices, but as of the latest update to this document in the fall of 2017, there are still relatively few services that support such U2F-capable devices. Major services your organization may use that support U2F keys include Dashlane, Dropbox, Facebook, Google, and Salesforce. You can read more about U2F at [https://www.yubico.com/solutions/fido-u2f/](https://www.yubico.com/solutions/fido-u2f/).*
 
-***Text message-based codes are not recommended for use as a second factor.***  *It can be surprisingly easy for someone to take over control of a cell number via social engineering and/or fraud (see https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-could-be-hijacked-identity-thief, https://techcrunch.com/2016/06/10/how-activist-deray-mckessons-twitter-account-was-hacked/, and https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/ for more information). Adopt one of the other mechanisms above instead.*
+***Text message-based codes are not recommended for use as a second factor.***  *It can be surprisingly easy for someone to take over control of a cell number via social engineering and/or fraud (see [https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-could-be-hijacked-identity-thief](https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-could-be-hijacked-identity-thief), [https://techcrunch.com/2016/06/10/how-activist-deray-mckessons-twitter-account-was-hacked/](https://techcrunch.com/2016/06/10/how-activist-deray-mckessons-twitter-account-was-hacked/), and [https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/](https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/) for more information). Adopt one of the other mechanisms above instead.*
 
-*Access Now, an organization that "defends and extends the digital rights of users at risk around the world," has released a clear and handy guide to choosing a two-factor authentication method: https://www.accessnow.org/cms/assets/uploads/2017/09/Choose-the-Best-MFA-for-you.png.*
+*Access Now, an organization that "defends and extends the digital rights of users at risk around the world," has released a [clear and handy guide to choosing a two-factor authentication method](https://www.accessnow.org/cms/assets/uploads/2017/09/Choose-the-Best-MFA-for-you.png) (https://www.accessnow.org/cms/assets/uploads/2017/09/Choose-the-Best-MFA-for-you.png).*
 
-:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Separate organizational and everyday passwords**  
+:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Separate organizational and everyday passwords.**  
 :rocket::rocket::rocket::wrench::wrench::fire::fire::fire:  
 *Organizational passwords include any passwords that grant administrative control of your organization's information systems or online identity. These are very powerful credentials and so should be stored separately from passwords that just get staff into their personal user accounts. You can do this by making a separate login or file in your password manager application, or by choosing a completely different manager altogether.*
 
-*Placing organizational passwords in a KeePass or otherwise encrypted file that only a few key staff members can access will lessen the risks of adopting an online password manager for everyday passwords, but will also place a burden on those staff members. Balancing these needs should be factored in your decision.*
+*Placing organizational passwords in a KeePass or otherwise encrypted file that only a few key staff members can access will lessen the risks of adopting an online password manager for everyday passwords, but will also place a burden on those staff members. Balancing these needs should be factored into your decision.*
 
-:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Set minimum password lengths and enforce complexity rules on services where you can do so, and regularly monitor user password strength**  
+:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Set minimum password lengths and enforce complexity rules on services where you can do so, and regularly monitor user password strength.**  
 :rocket::rocket::rocket::rocket::wrench::wrench::wrench::wrench::fire::fire::fire:   
 *On many platforms, including Windows Active Directory and Google Apps, you can set controls at an administrative level to ensure that people use strong passwords. It takes some advance planning and staff training, as setting up these controls without being clear on the implications can confuse users and lock people out of their computers or work files. In addition, someone will need to be designated as the point person for resolving problems that arise from these controls. However, this step improves the security of all users at one time, so is highly recommended.*
diff --git a/6_wireless_checklist.md b/6_wireless_checklist.md
index e1f99cf8b801afca55780ad864e907640b78f387..306a075ce429fd6154466cbff7034fdf148c4e10 100644
--- a/6_wireless_checklist.md
+++ b/6_wireless_checklist.md
@@ -2,72 +2,72 @@
 document set: DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
 title: Wireless Network Safety Checklist
 author: Jonah Silas Sheridan, Lisa Jervis
-last modified: 10/11/17
-version: "2.0, DRAFT NOT FOR FOR PUBLIC USE"
+last modified: 10/27/17
+version: "2.0, PEER REVIEWED"
 ---
 
 # Wireless Network Safety Checklist
 
 ## Introduction
 
-*This checklist comes from the Weathering the Storms toolkit, which contains wraparound documentation including an introduction, frequently asked questions, and a glossary where you can look up any terms that are unfamiliar to you. This is a community-driven document set with the latest version always at https://ecl.gy/sec-check. We welcome your feedback via RoadMap, or our contact form at https://iecology.org/contact/.*
+*This checklist comes from the Weathering the Storms toolkit, which contains wraparound documentation including an [introduction](1_checklist_introduction.md), [frequently asked questions](C_FAQ.md), and a [glossary](A_glossary.md) where you can look up any terms that are unfamiliar to you. This is a community-driven document set with the latest version always at [https://ecl.gy/sec-check](https://ecl.gy/sec-check). We welcome your feedback via RoadMap, or our contact form at [https://iecology.org/contact/](https://iecology.org/contact/).*
 
-This checklist provides a number or practices that can help protect you and your staff when using wireless networks such as those in offices, co-work spaces as well as more public ones such as hotels, cafés, and airports. Because there are so many ways that wireless networks can be compromised, you should treat all wireless networks as having limited security. You are always safest directly wired into networks that you own and/or control.
+This checklist provides a number oF practices that can help protect you and your staff when using wireless networks such as those in offices and co-work spaces as well as public places such as hotels, cafés, and airports. Because there are so many ways that wireless networks can be compromised, you should treat all wireless networks as having limited security. You are always safest directly wired into networks that you own and/or control.
 
-**If performing work using sensitive or confidential information, including anything that is required to be protected by law (such as personal health information), you are best off avoiding the use of wireless networks for those tasks and should never use a free or public wireless network for that work.**
+**If performing work using sensitive or confidential information, including anything that is required to be protected by law (such as personal health information, employment records, and credit card numbers), you are best off avoiding the use of wireless networks for those tasks if possible and should never use a free or public wireless network for that work, unless you are using a VPN. (VPNs are covered below.)**
 
 ## Key
+
 :heavy_check_mark: Record actions  
-:rocket: Implementation management overhead rating   
+:rocket: Implementation management overhead   
 :wrench: Technical skill level required
 :fire: Work flow disruption for staff
-## Public Wireless Network Safety Tasks
+
+## Wireless Network Safety Tasks
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Prefer Firefox or Chrome browsers. Only use Internet Explorer and Safari when required. Keep all web browser software, including extensions, updated to the latest version.**  
 :rocket::wrench::fire:  
-*Internet Explorer has had a much higher incidence of vulnerabilities than Chrome and Firefox, while Safari has suffered some recent security concerns. <one reviewer asked if these had been addressed in the recent High Sierra OS update but this: https://www.cvits.com/2017/09/29/apple-safari-browser-may-have-security-issues-according-to-google/ makes me think not at all! So I think leave as is but I wanted you to know the Q had been raised.> Although nearly all of the latest browsers support “certificate pinning,” which makes it harder to intercept secure connections, [Chrome]("https://google.com/chrome") and [Firefox]("https://getfirefox.com/") have led the development of this important feature.*
+*Internet Explorer has had a much higher incidence of vulnerabilities than Chrome and Firefox, while Safari has suffered some recent security concerns. Although nearly all of the latest browsers support “certificate pinning,” which makes it harder to intercept secure connections, [Chrome](https://google.com/chrome) (https://google.com/chrome) and [Firefox](https://getfirefox.com/) (https://getfirefox.com/) have led the development of this important feature.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Install the HTTPS Everywhere extension on all of the web browsers you use.**  
 :rocket::wrench::fire:  
 
-*The "s" in HTTPS stands for "secure," and when you see "https://" rather than "http://" in your browser's address bar, it means that are securely connected to the site you are visiting: The information being sent back and forth between your browser and the site's server is encrypted and so cannot be seen by others on the wireless network or the operator of the network itself. The browser extension HTTPS Everywhere forces your browser to connect using HTTPS instead of HTTP to any site that makes an HTTPS connection available, thus increasing the proportion of your traffic that cannot be viewed or altered by others on your network. You can install that plugin from [this page]("https://www.eff.org/HTTPS-EVERYWHERE").*
+*The "s" in HTTPS stands for "secure," and when you see "https://" rather than "http://" in your browser's address bar, it means that you are securely connected to the site you are visiting: The information being sent back and forth between your browser and the site's server is encrypted and so cannot be seen by others on the network or the operator of the network itself. The browser extension HTTPS Everywhere, produced by the [Electronic Frontier Foundation](https://eff.org) (https://eff.org) forces your browser to connect using HTTPS instead of HTTP to any site that makes an HTTPS connection available, thus increasing the proportion of your traffic that cannot be viewed or altered by others on your network. You can install that plugin at [https://www.eff.org/HTTPS-EVERYWHERE](https://www.eff.org/HTTPS-EVERYWHERE).*
 
-:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Install Privacy Badger, a browser add-on which will limit the “cookies” -- small persistent chunks of information -- set on your computer by websites.**  
+:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Install Privacy Badger, a browser add-on that will limit the “cookies”--small persistent chunks of information--set on your computer by websites.**  
 :rocket::wrench::fire::fire:
 
-*Privacy Badger (also produced by the [Electronic Frontier Foundation]("https://eff.org")) is designed to help reduce the privacy breaches and tracking that come with the use of cookies. These cookies can be transferred insecurely so can, if poorly implemented, expose login credentials or other information in transit. As an extra benefit, using it will increase your privacy and reduce the extent to which you are tracked online. Download it [here]("https://privacybadger.org").*
+*Privacy Badger (also produced by the [Electronic Frontier Foundation](https://eff.org) (https://eff.org)) is designed to help reduce the privacy breaches and tracking that come with the use of cookies. These cookies can be transferred insecurely and so can, if poorly implemented, expose login credentials or other information in transit. As an extra benefit, using this extension will increase your privacy and reduce the extent to which you are tracked online. Download it at [https://privacybadger.org](https://privacybadger.org).*
 
 *Note that if you are using integrations between different web-based systems in your work (for example, connecting file-sharing systems such as Google or Box to project management systems such as Asana or Basecamp), you will need to tune your Privacy Badger settings for those sites to keep the integrations working properly.*
 
-
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**When you have a choice, pick wireless networks that use a password, ideally a unique one for each person connecting, and those that use WPA or WPA2 encryption rather than WEP encryption.**  
 :rocket::wrench::fire:  
 
-*A password on a wireless network means the information moving across it is less easily captured and decoded by someone nearby. However, in most cases everyone with that password can at least see some parts of your network connections -- but if everyone has a unique password this becomes quite hard to do. WPA and WPA2 offer stronger protection than WEP, which is now relatively easily compromised. Most computers offer an easy way to view what encryption is in use on a given network. In OSX, hold down the Option key and click the wireless indicator in the top right corner to reveal extra information about each wireless network. The method for viewing these details is different in each version of Windows, so ask your tech support provider for assistance for the software you use.
-Note that some broad attacks on WPA encryption schemes have recently come to light. Consequently this recommendation has only limited utility and for sensitive operations a VPN or other encrypted connection is necessary to ensure the confidentiality of your information.
+*A password on a wireless network means the information moving across it is less easily captured and decoded by someone nearby. However, in most cases everyone with that password can at least see some parts of your network connections--but if everyone has a unique password this becomes quite hard to do. WPA and WPA2 offer stronger protection than WEP, which is now relatively easily compromised. Most computers offer an easy way to view what encryption is in use on a given network. In OSX, hold down the Option key and click the wireless indicator in the top right corner to reveal extra information about each wireless network. The method for viewing these details is different in each version of Windows, so ask your tech support provider for assistance for the software you use.
+Note that some broad attacks on WPA encryption schemes have recently come to light. Consequently this recommendation has only limited utility, and for sensitive operations a VPN or other encrypted connection is necessary to ensure the confidentiality of your information.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Confirm the network details before you connect.**  
 :rocket::rocket::wrench::fire:  
 
-*An attacker can set up an access point with a name similar or identical to a legitimate one, so that you connect to it instead of the network you intend. Make sure to ask the proprietor of a public network what the network name and password are, and connect to the network with that name that accepts that password. This doesn't completely guarantee that the network you are connecting to isn't hostile or compromised, but it makes the difficulty of hijacking your connection much higher.*
+*An attacker can set up an access point with a name similar or identical to a legitimate one, so that you connect to the attacker's network instead of the one you intend. Make sure to ask the proprietor of a public network what the network name and password are, and connect to the network with that name that accepts that password. This doesn't completely guarantee that the network you are connecting to isn't hostile or compromised, but it makes the difficulty of hijacking your connection much higher.*
 
-:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Ensure that the wireless network is not presenting false certificates and do not import any certificates you are asked to install.**  
+:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Ensure that the wireless network is not presenting false certificates, and do not import any certificates you are asked to install.**  
 :rocket::rocket::rocket::rocket::wrench::wrench::wrench::fire::fire::fire:  
-*Increasingly, networks are set up to monitor traffic for various reasons such as ad placement or content filtering. However, this potentially compromises all secure connections, as it allows traffic to be monitored via the same mechanism in what is called a Man-In-The-Middle (MITM) attack. Under these circumstances the network device will replace ask you to install a certificate that it controls and then will replace the security certificate from the service you are connecting to with the one you installed. Anyone with access to that device can now see any communication between you and that service. Learning to view certificates in your web browser, or installing and learning to use a tool such as Certificate Patrol (available only for Firefox [here]("http://patrol.psyced.org/")), will help you identify certificate changes but in normal operation also causes many alert windows to appear as vendors change their certificates.*  
+*Increasingly, networks are set up to monitor traffic for various reasons such as ad placement or content filtering. However, this potentially compromises all secure connections, as it allows traffic to be monitored via the same mechanism in what is called a man-in-the-middle (MITM) attack. Under these circumstances the network device will ask you to install a certificate that it controls and then will replace the security certificate from the service you are connecting to with the one you installed. Anyone with access to that device can now see any communication between you and that service. Learning to view certificates in your web browser, or installing and learning to use a tool such as [Certificate Patrol](http://patrol.psyced.org/) (http://patrol.psyced.org/), available only for Firefox, will help you identify certificate changes but in normal operation also causes many alert windows to appear as vendors change their certificates.*  
 
-*Google has created [documentation]("https://support.google.com/chrome/answer/95617?hl=en") for viewing certificate information in Chrome. Mozilla has [similar documentation]("https://support.mozilla.org/en-US/kb/secure-website-certificate
-") for Firefox as well as some [overall instructions]("https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure") on connection security that you may wish to review.*
+*Google has created documentation for [viewing certificate information in Chrome](https://support.google.com/chrome/answer/95617?hl=en) (https://support.google.com/chrome/answer/95617?hl=en). Mozilla has [similar documentation for Firefox](https://support.mozilla.org/en-US/kb/secure-website-certificate) (https://support.mozilla.org/en-US/kb/secure-website-certificate) as well as some [overall instructions on connection security](https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure) (https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure).*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-**Use a Virtual Private Network (VPN) to securely tunnel out of public networks.**  
+**Use a Virtual Private Network (VPN) to securely tunnel out of wireless networks.**  
 :rocket::rocket::rocket::wrench::wrench::wrench::fire::fire::fire:  
 
-*A VPN creates a secure connection for your computers and mobile devices to use to access an office network and/or the Internet. This connection, or tunnel, can be used to hide all information moving from your computers to the Internet or office network from the operator or other users of the wireless network. Use of a VPN severely limits your exposure to the owner and operator of the network you are on and so significantly reduces the amount of trust you have to place in them. These factors make VPNs a very effective way to protect your traffic from observation or interception on untrusted networks.*
+*A VPN creates a secure connection for your computers and mobile devices to use to access the Internet (or an office network). This connection, or tunnel, can be used to hide all information moving between your computers and the Internet (or office network) from the operator or other users of the wireless network. Use of a VPN severely limits your exposure to the owner and operator of the network you are on and so significantly reduces the amount of trust you have to place in them. These factors make VPNs a very effective way to protect your traffic from observation or interception on untrusted networks.*
 
-*A VPN is implemented via a device you own located in your office or at an offsite facility, or that a third party hosts for you. If hosting your own VPN hardware, make sure you budget for ongoing maintenance, licensing, and software updates; otherwise, the device mediating your connection will become a vulnerability instead of a security improvement. Also recognize that in setting up a device to use for VPN connections inside your office, many offsite staff will be dependent on your office Internet line for their work. If this Internet connection is unstable, undersized, or asymmetric (made for downloading more than uploading, such as DSL or residential cable connections), the VPN will not work well for staff. For this reason, paying to locate your VPN device in a data center is the best way of getting a high trust, high- performance VPN setup in place.*
+*A VPN is implemented via a device you own located in your office or at an offsite facility, or that a third party hosts for you. If hosting your own VPN hardware, make sure you budget for ongoing maintenance, licensing, and software updates; otherwise, the device mediating your connection will become a vulnerability instead of a security improvement. Also recognize that in setting up a device to use for VPN connections inside your office, many offsite staff will be dependent on your office Internet line for their work. If this Internet connection is unstable, undersized, or asymmetric (made for downloading more than uploading, such as DSL or residential cable connections), the VPN will not work well for staff. For this reason, paying to locate your VPN device in a data center is the best way of getting a high trust, high-performance VPN in place.*
 
-*Because of the high cost of self-hosted VPNs, most organizations choose to use a third party VPN service provider to meet this need. This makes budgetary and operational sense, but it is very important to vet a VPN provider carefully by thoroughly reviewing their policies, understanding their track record in the field, and checking client references.  Recognize that unless you set up, run, and maintain your own VPN infrastructure, you are just offloading the trust you don't want to place in the operators of networks you are using to a different third party -- the owner and operator of the VPN service. While specific recommendations for VPN providers are outside of the scope of this document, in general, free VPN services, including those available in some app stores, should be avoided. (The adage "If you are not paying for it, you're not the customer -- you're the product" holds true here.)*
+*Because of the high cost of self-hosted VPNs, most organizations choose to use a third-party VPN service provider to meet this need. This makes budgetary and operational sense; however, it is very important to vet a VPN provider carefully by thoroughly reviewing their policies, understanding their track record in the field, and checking client references. Recognize that unless you set up, run, and maintain your own VPN infrastructure, you are just offloading the trust you don't want to place in the operators of networks you are using to a different third party--the owner and operator of the VPN service. While specific recommendations for VPN providers are outside of the scope of this document, in general, free VPN services, including those available in some app stores, should be avoided. (The adage "If you are not paying for it, you're not the customer--you're the product" holds true here.)*
 
-*Choosing a provider of a VPN and setting up devices to use it are not simple tasks, and they are critically important -- a misstep in setup or use can bring your work to a crawl or expose your information. All VPNs add a layer of network traffic and will slow down your Internet access, so your distance to and the bandwidth available from your VPN provider (or your office or data center facility if hosting your own) will make a difference to performance -- and in turn whether people actually use it.*
+*Choosing a provider of a VPN and setting up devices to use it are not simple tasks, and they are critically important--a misstep in setup or use can bring your work to a crawl or expose your information. All VPNs add a layer of network traffic and will slow down your Internet access, so your distance to and the bandwidth available from your VPN provider (or your office or data center if hosting your own) will make a difference to performance--and in turn whether people actually use it. The Electronic Frontier Foundation's Surveillance Self-Defense project contains [further information on choosing a VPN](https://ssd.eff.org/en/module/choosing-vpn-thats-right-you) (https://ssd.eff.org/en/module/choosing-vpn-thats-right-you).*
 
 *Consider whether you can absorb the costs to make the speed and trust tradeoffs acceptable to you before choosing to implement a VPN. If you can, the investment in hardware, implementation, setup, and hassle is repaid by a solution that mitigates a range of threats associated with use of untrustworthy networks across many situations.*
diff --git a/7_email_safety_checklist.md b/7_email_safety_checklist.md
index f792eb8601d62765c224e2b0dfcbe6892b70abef..53289e8ca6b1422d22ee9f17d505f252d842f30c 100644
--- a/7_email_safety_checklist.md
+++ b/7_email_safety_checklist.md
@@ -2,13 +2,14 @@
 document set: DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
 title: Email Safety Checklist
 author: Jonah Silas Sheridan, Lisa Jervis
-last modified: 10/11/17
-version: "2.0, DRAFT NOT FOR FOR PUBLIC USE"
+last modified: 10/27/17
+version: "2.0, PEER REVIEWED"
 ---
 # Email Safety Checklist
+
 ## Introduction
 
-*This checklist comes from the Weathering the Storms toolkit, which contains wraparound documentation including an introduction, frequently asked questions, and a glossary where you can look up any terms that are unfamiliar to you. This is a community-driven document set with the latest version always at https://ecl.gy/sec-check. We welcome your feedback via RoadMap, or our contact form at https://iecology.org/contact/.*
+*This checklist comes from the Weathering the Storms toolkit, which contains wraparound documentation including an [introduction](1_checklist_introduction.md), [frequently asked questions](C_FAQ.md), and a [glossary](A_glossary.md) where you can look up any terms that are unfamiliar to you. This is a community-driven document set with the latest version always at [https://ecl.gy/sec-check](https://ecl.gy/sec-check). We welcome your feedback via RoadMap, or our contact form at [https://iecology.org/contact/](https://iecology.org/contact/).*
 
 This checklist provides a number of practices that can help protect you and your staff when using email to communicate. Before sending an email, ask yourself, would I put this on a postcard that might be kept forever? If the answer is no, consider using other means to communicate.
 
@@ -18,34 +19,37 @@ Think about the emails you receive like a sealed envelope. If you don't know who
 
 
 ## Key
+
 :heavy_check_mark: Record actions  
-:rocket: Implementation management overhead rating   
+:rocket: Implementation management overhead   
 :wrench: Technical skill level required
 :fire: Work flow disruption for staff
+
 ## Email Safety Tasks
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Train everyone in your organization not to send sensitive or controversial information over email whenever possible.**  
 :rocket::wrench::fire:   
-*Information in these categories include but are not limited to passwords, credit card information, Social Security numbers, health information, organizational strategy, and potentially damaging critiques or insults.*
-*Establish encrypted channels for sharing this information. Possibilities include a secure instant messenger, intranet site, cloud file server or even mailed USB sticks.*
-*One readily available option is [Signal App] (https://www.signal.org/) for end-to-end encrypted instant messaging and file sharing on mobile devices. There is a [desktop version of Signal for Chrome browser](https://chrome.google.com/webstore/detail/signal-private-messenger) as well which can extend this functionality to desktops and laptops. As of September 2017,the desktop application is still in beta testing so not recommended for high risk situations.*
+*Information in these categories include but are not limited to passwords, credit card information, Social Security numbers, health information, organizational strategy, and potentially damaging critiques or insults. Establish encrypted channels for sharing this information. Possibilities include a secure instant messenger, intranet site, internet-based file server, or even mailed USB sticks.*
+
+*One readily available option is [Signal App](https://www.signal.org/) (https://www.signal.org/), which is used for end-to-end encrypted instant messaging and file sharing on mobile devices. There is also a [Signal extension for Chrome](https://chrome.google.com/webstore/detail/signal-private-messenger) (https://chrome.google.com/webstore/detail/signal-private-messenger) that extends this functionality to desktops and laptops. As of September 2017, the desktop application is still in beta testing so not recommended for high-risk situations.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Use strong passwords for all email accounts; change them on a regular basis, and immediately if you have any suspicion of them being used by a third party.**  
 :rocket::rocket::wrench::wrench::fire::fire:     
-*Strong passwords generally are made with a mix of letters, numbers and symbols and are as long as possible. Teach everyone in your organization how to generate and store strong passwords as well as how to reset their own passwords to critical accounts. Good passwords can be made a variety of ways. One recommended method which you can complete with standard household items is called [Diceware]("http://world.std.com/~reinhold/diceware.html"). See the [Password and Authentication Safety Checklist]("5_authentication_checklist.md") in this document set for more recommendations in this area.*
+*Strong passwords are generally 12 characters or longer and use a mix of two or three different types of characters (e.g., symbols, numbers, and both upper- and lowercase letters). Teach everyone in your organization how to generate and store strong passwords as well as how to reset their own passwords to critical accounts. Good passwords can be made a variety of ways. One recommended method that you can complete with standard household items is called [Diceware](http://world.std.com/~reinhold/diceware.html) (http://world.std.com/~reinhold/diceware.html. See the [Password and Authentication Safety Checklist](5_authentication_checklist.md) in this document set for more recommendations in this area.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; **Establish an anti-phishing training and education program and give staff opportunities for practice through live testing.**  
 :rocket::rocket::rocket::rocket::rocket::wrench::wrench::fire::fire::fire:  
-*Phishing is when malicious emails are crafted to look as legitimate as possible in order to get you to click a link or attachment. This is actually a social engineering attack more than a technical one, and so addressing the human element through education is the best way forward. Testing people by sending fake, innocuous phishing emails is a hard task, but recommended to give people a chance to practice without bad consequences. Be careful not to create a fear response rather than lasting motivation; focus on one or two elements to identify in each email; try to be playful and emphasize and reward good practices rather than the negative experience of getting tricked. Never shame your staff for clicking on a bad link. (This episode of the podcast Reply All, ["What Kind of Idiot Gets Phished?"]( "https://gimletmedia.com/episode/97-what-kind-of-idiot-gets-phished/"), is an entertaining and insightful cautionary tale.)
-*Generally, anything unexpected in your email should be looked at with suspicion. Be wary of any messages that ask you to do something, including clicking a link, opening an attachment, or emailing back information. Be aware that it can be easy to fake “From” addresses, so notice any emails that don't match the usual style of the sender indicated in the “From” address. If someone has broken into your account, you may see reply messages you don't understand, additional sent items, new folders or filters being created, or other changes to settings. Suspicious emails or account behavior should be reported to a technical support person and you should preemptively change your password.*
+*Phishing is when malicious emails are crafted to look as legitimate as possible in order to get you to click a link or attachment. This is actually a social engineering attack more than a technical one, and so addressing the human element through education is the best way forward. Testing people by sending fake, innocuous phishing emails is a hard task, but recommended to give people a chance to practice without bad consequences. Be careful not to create a fear response rather than lasting motivation, focus on one or two elements to identify in each email, and try to be playful and emphasize/reward good practices rather than the negative experience of getting tricked. Never shame your staff for clicking on a bad link! (This episode of the podcast Reply All, ["What Kind of Idiot Gets Phished?"](https://gimletmedia.com/episode/97-what-kind-of-idiot-gets-phished/) (https://gimletmedia.com/episode/97-what-kind-of-idiot-gets-phished/), is an entertaining and insightful cautionary tale.)
 
-*There are multiple companies that offer anti-phishing training and testing if you don't have internal capacity to provide it yourself. [Contact Information Ecology]("https://iecology.org/contact") for referrals.*
+*Generally, anything unexpected in your email should be looked at with suspicion. Be wary of any messages that ask you to do something, including clicking a link, opening an attachment, or emailing back information. Be aware that it can be easy to fake “from” addresses, so notice any emails that don't match the usual style of the sender indicated in the “from” address. If someone has broken into your account, you may see reply messages you don't understand, additional sent items, new folders or filters being created, or other changes to settings. Suspicious emails or account behavior should be reported to a technical support person and you should preemptively change your password.*
+
+*There are multiple companies that offer anti-phishing training and testing if you don't have internal capacity to provide it yourself. [Contact Information Ecology](https://iecology.org/contact) (https://iecology.org/contact) for referrals.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Always log in to email over a private connection.**   :rocket::rocket::rocket::wrench::wrench::fire:
 
 *This means using an address that starts with https:// for webmail, and turning on mandatory SSL or TLS encryption in the settings of your email client. For Gmail, connecting using a recent version of the Chrome or Firefox browser will ensure you have such a secure connection.*
 
-*This practice will help ensure that someone operating on a network between you and your email server cannot read or alter your email in transit. Note that if your email is sent to someone outside of your organization, you cannot control the connections between your email server and the recipients' servers nor how the recipients access the message, so it is still vulnerable to attack. Because you control your organization and mail server, following this practice may improve the overall security of internal email but is not a justification to send sensitive information using email internally or externally.*
+*This practice will help ensure that someone operating on a network between you and your email server cannot read or alter your email in transit. Note that if your email is sent to someone outside of your organization, you cannot control the connections between your email server and the recipients' servers, nor how the recipients access the message, so it is still vulnerable to attack. Because you control your organization and mail server, following this practice may improve the overall security of internal email; however, it is not a justification to send sensitive information using email internally or externally.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Where you can, implement two-factor authentication for email accounts.**  
 :rocket::rocket::rocket::wrench::wrench::fire::fire::fire:
@@ -53,14 +57,14 @@ Think about the emails you receive like a sealed envelope. If you don't know who
 *Many email providers have begun to offer systems that rely on more than one piece of information to log in. There can be several, but usually there are just two: your password and another code you have. Often this is a code sent by text message to your phone but can also be embedded on a special type of USB device, a program that generates codes on your phone, or even a piece of paper with preprinted codes. People will have to get used to having this extra step to log in to new devices, but it protects from someone who obtains either item from getting into the account. See the [Password and Authentication Safety Checklist]("5_authentication_checklist.md") in this document set for more information on this.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Instead of sending attachments, store files on a server and send expiring links to the documents there.**   :rocket::rocket::rocket::wrench::wrench::wrench::fire::fire:
-*Email attachments present several risks including their use as a mechanism for phishing. They are not protected from being viewed or altered between recipients, so you cannot ensure that the document you send is the same one that the recipient receives. A malicious server between you and the sender could replace it with any program or file they want, including a virus or malware. Additionally file attachments tend to remain in recipients' email in-boxes, where they are harder to control. For example, if you filled out an order form using your organizational credit card, and emailed it to a vendor as a PDF, someone who breached their email account would have access to a document containing your credit card information for as long as it was not deleted from the server.   
+*Email attachments present several risks, including their use as a mechanism for phishing. They are not protected from being viewed or altered between recipients, so you cannot ensure that the document you send is the same one that the recipient receives. A malicious server between you and the sender could replace it with any program or file they want, including a virus or malware. Additionally, file attachments tend to remain in recipients' email in-boxes, where they are harder to control. For example, if you filled out an order form using your organizational credit card, and emailed it to a vendor as a PDF, someone who breached their email account would have access to a document containing your credit card information for as long as it was not deleted from the server.   
 
 A better practice than email attachments is to have files on a server and send links to documents instead of the documents themselves. Ideally these links lead to locations that themselves are protected by passwords or other authentication, or are temporary and expire soon after use. These links can be easily generated in almost all file-storage systems, whether they use servers in your office (such as a Windows file server) or on the web (such as Google Drive, Box, or Dropbox).*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Be very careful clicking links or opening attachments in emails.**  
 :rocket::rocket::wrench::wrench::wrench::fire::fire:
 
-*Links, often innocuous looking or even hidden within emails, are a major way adversaries get rogue software inside networks. Before clicking a link or anywhere on an email, even if it appears to be from someone you know, check that it points to a domain name (such as roadmapconsulting.org or the domain where your organization's files are stored) that you recognize and expect. In most email programs, as on the web, hovering over a link displays the URL it points to. If the link's destination is unexpected or unfamiliar, check with the sender to make sure the email is legitimate. Similarly, don't open an attachment unless you are expecting it and the file name is in line with that expectation.*
+*Links, often innocuous looking or even hidden within emails, are a major way adversaries get rogue software inside networks. Before clicking a link or anywhere on an email, even if it appears to be from someone you know, check that it points to a domain name that you recognize and expect (such as roadmapconsulting.org or the domain where your organization's files are stored). In most email programs, as on the web, hovering over a link displays the URL it points to. If the link's destination is unexpected or unfamiliar, check with the sender to make sure the email is legitimate. Similarly, don't open an attachment unless you are expecting it and the file name is in line with that expectation.*
 
 **NEVER** *click on links or open files from unknown senders or in otherwise suspicious emails. Unlike people you know and are working with, someone you don't know will never send you a file that you actually need; if a link from an unknown sender actually contains useful information, you will be able to access it via another, more trusted method (for example, a web search).*
 
@@ -71,7 +75,7 @@ A better practice than email attachments is to have files on a server and send l
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Pay for a service to filter spam and viruses from email before it reaches your inbox.**
 :rocket::rocket::wrench::wrench::wrench::fire:
 
-*This service comes included with many email providers, including [Gmail]("https://google.com/mail") and [Electric Embers]("https://electricembers.coop"), but not all. Filtering mail before it reaches your network lessens the chance of a virus- or malware-bearing link or attachment being clicked on. After initial setup, this service will be nearly invisible to staff, but requires that someone is tasked with dealing with false positives and other email delivery problems. Be aware, however, that this item involves a significant tradeoff: Filtering means that another company is viewing your email before it reaches you, and this may increase risk of that information being exposed. The [Electric Embers Cooperative]("https://electricembers.coop/") is a values-aligned provider that offers such a service specifically for non-profits.*
+*This service comes included with many email providers, including [Gmail](https://google.com/mail) (https://google.com/mail) and [Electric Embers](https://electricembers.coop) (https://electricembers.coop), but not all. Filtering mail before it reaches your network lessens the chance of a virus- or malware-bearing link or attachment being clicked on. After initial setup, this service will be nearly invisible to staff, but requires that someone is tasked with dealing with false positives and other email delivery problems. Be aware, however, that this item involves a significant tradeoff: Filtering means that another company is viewing your email before it reaches you, and this may increase risk of that information being exposed. The [Electric Embers Cooperative](https://electricembers.coop/) (https://electricembers.coop/) is a values-aligned provider that offers such a service specifically for non-profits.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; **To prevent social engineering, use generic email addresses, and only those addresses, for critical functions such as finance, security, and human resources management. Forward critical staff's email to someone else rather than exposing their absence through out-of-office autoreplies.**
 :rocket::rocket::wrench::fire::fire:  
@@ -85,33 +89,32 @@ A better practice than email attachments is to have files on a server and send l
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Where email is accessed on mobile or laptop devices, configure email clients and web browsers to store as little information as possible.**  
 :rocket::rocket::wrench::wrench::wrench::fire::fire::fire::fire:
-*Most web browsers can and should be set to clear their caches when closed. Most email clients can be configured to not store email offline and to clear caches when closed. Both can be configured not to store passwords as well. When configured this way, a lost or stolen laptop or phone will potentially result in far less exposure of information. Note that this practice will have extreme operational impact to your team, as it means that that users will need to enter a password every time they start their email program, and they will be unable to access emails when not connected to the Internet.*
-
-*This practice can be made unnecessary by encrypting your devices' hard drives. See the [Device Protection Checklist]("4_device_security_checklist.md") in this document set for details.*
+*Most web browsers can and should be set to clear their caches when closed. Most email clients can be configured to not store email offline and to clear caches when closed. Both can be configured not to store passwords as well. When set up this way, a lost or stolen laptop or phone will potentially result in far less exposure of information than it otherwise would. Note, however, that this practice will have extreme operational impact on your team, as it means that that users will need to enter a password every time they start their email program, and they will be unable to access emails when not connected to the Internet.*
 
+*This practice can be made unnecessary by encrypting your devices' hard drives. See the [Device Security Checklist]("4_device_security_checklist.md") in this document set for details.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; **Prevent targeted phishing attacks using look-alike domains by registering any domains that could be mistakenly read as the domain you use for your email.**
 :rocket::wrench::fire:
-*Phishing attacks are hardest to detect when they use email "from" addresses and links to websites that appear to be official but are actually hosted by the attacker. One way that this can be done is by registering domain names that look like other domain names -- substituting a capital letter "i" for the letter "l," or an "m" for "nn," for example. For this reason, it is wise to note any ambiguous characters in your domain name(s) and proactively buy any that look similar. Although this will cost you some money, you can renew these at the same time as your other domains so there is little management overhead. You don't need to set up any services on these domains; you are just buying them so that others do not. [DNSTwister](https://dnstwister.report/) is a webpage that will let you put in a domain name and it will provide you a list of similar domain names that you might want to purchase.*
+*Phishing attacks are hardest to detect when they use email "from" addresses and links to websites that appear to be official but are actually hosted by the attacker. One way that this can be done is by registering domain names that look like other domain names--substituting a capital letter "i" for the letter "l," or an "m" for "nn," for example. For this reason, it is wise to note any ambiguous characters in your domain name(s) and proactively buy any that look similar. Although this will cost you some money, you can renew these at the same time as your other domains so there is little management overhead. You don't need to set up any services on these domains; you are just buying them so that others do not. [DNSTwister](https://dnstwister.report/) (https://dnstwister.report/) is a website that will let you put in a domain name and it will provide you a list of similar domain names that you might want to purchase.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; **Set up correct Domainkeys Identified Mail (DKIM) and Sender Policy Framework (SPF) records, and the associated Domain-based Message Authentication, Reporting & Conformance (DMARC) records that build upon these, for your email domains and subdomains.**  
 :rocket::rocket::rocket::rocket::wrench::wrench::wrench::wrench::fire::fire:  
 *These are highly technical steps made in conjunction with your email and Domain Name Service (DNS) providers to make it hard for  spammers or phishers to fake emails from your organization. Consult your technical support provider for help.*
 
-*SPF records identify which mail servers are permitted to send email on behalf of your domain. Be aware that setting this up requires identifying **all** *the services that are currently sending email on your behalf (which could be databases, mass mailing tools, email list hosts, fundraising tools, and more); incorrect configurations can cause your email to be incorrectly marked as spam. Determining this list carefully is critical to implementing this recommendation in a way that does not interrupt ongoing operations. "Hard fail” settings (records ending in "-all") are preferred for SPF records wherever possible, but be careful, as this can cause email bounces if your records are not carefully tuned. Once set up correctly, however, you will need to maintain this list and make changes any time your organization adopts any other tools that send email from the same domain as your email addresses. Other that these maintenance steps, this should be invisible in operation. More information is on the official SPF website at http://www.openspf.org/.*
+*SPF records identify which mail servers are permitted to send email on behalf of your domain. Be aware that setting this up requires identifying* ***all*** *the services that are currently sending email on your behalf (which could be databases, mass mailing tools, email list hosts, fundraising tools, and more); incorrect configurations can cause your email to be incorrectly marked as spam. Determining this list carefully is critical to implementing this recommendation in a way that does not interrupt ongoing operations. "Hard fail” settings (records ending in "-all") are preferred for SPF records wherever possible, but be careful, as this can cause email bounces if your records are not carefully tuned. Once set up correctly, however, you will need to maintain this list and make changes any time your organization adopts any other tools that send email from the same domain as your email addresses. Other than these maintenance steps, this should be invisible in operation. More information is on the [official SPF website](http://www.openspf.org/) (http://www.openspf.org/).*
 
-*DKIM will help assure recipients that your designated mail servers sent the mail they are receiving. DMARC builds on these to tell recipient servers how to respond when the SPF or DKIM records help it identify spam or falsified messages. Once set up, these should have minimal impact on day to day operations, though it make changing your email provider or infrastructure more complex. Find more information at the official DKIM website at http://dkim.org/ and the official DMARC website at https://dmarc.org/.*
+*DKIM will help assure recipients that your designated mail servers sent the mail they are receiving. DMARC builds on these to tell recipient servers how to respond when the SPF or DKIM records help it identify spam or falsified messages. Once set up, these should have minimal impact on day to day operations, though it make changing your email provider or infrastructure more complex. Find more information at the [official DKIM website](http://dkim.org/) (http://dkim.org/) and the [official DMARC website](https://dmarc.org/) (https://dmarc.org/).*
 
-*Note that all three of these are easiest to set up using a platform such as G Suite, Office365, or other integrated cloud provider <what does "integrated cloud provider" mean in this context? feels jargony and I cannot fix bc I can't suss meaning>.*
+*Note that all three of these are easiest to set up using a platform such as G Suite, Office365, or other provider offering many services through an integrated, Internet-accessible platform.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; **Use encryption, preferably "end to end," to secure your email.**  
 :rocket::rocket::rocket::rocket::wrench::wrench::wrench::wrench::fire::fire::fire::fire:  
-*This is a highly technical and labor-intensive initiative to undertake, but is probably the most complete way to minimize any inadvertent disclosure of data through email. Email encryption hides all email content from any servers or network providers that pass your mail along. It will likely require significant changes to staff practices and inconvenience for your team, but it provides significant protection of sensitive information emailed within your organization (and, if it is relevant to you, far greater compliance with standards such as HIPAA). There are various ways to implement email encryption, but only some are truly "end to end," meaning that you don't have to trust any parties in the middle, and encryption and decryption only happens on the devices communicating with each other.*
+*This is a highly technical and labor-intensive initiative to undertake, but is probably the most complete way to minimize any inadvertent disclosure of data through email. Email encryption hides all email content from any servers or network providers that pass your mail along. It will likely require inconvenience for your team and significant changes to staff practices, but it provides strong protection of sensitive information emailed within your organization (and, if it is relevant to you, far greater compliance with standards such as HIPAA). There are various ways to implement email encryption, but only some are truly "end to end," meaning that you don't have to trust any parties in the middle, and encryption and decryption only happens on the devices communicating with each other.*
+
+*The most common type of end-to-end encryption is called Pretty Good Privacy (PGP) and has been around for a long time. Consequently there are a lot of ways to use this type of encryption, and it works across many platforms. (It also lacks the ease and strength of some other, more modern encryption schemes.) One major tool for for using PGP encryption with email is the [Mozilla Thunderbird email client](https://www.mozilla.org/en-US/thunderbird/) (https://www.mozilla.org/en-US/thunderbird/) and the associated [Enigmail plugin](https://www.enigmail.net/home/index.php) (https://www.enigmail.net/home/index.php), which works on Windows (with the addition of [GPG4Win](https://gpg4win.org/) (https://gpg4win.org/), Mac, and Linux). You can find a guide for the Windows setup at [https://securityinabox.org/en/guide/thunderbird/windows](https://securityinabox.org/en/guide/thunderbird/windows). OSX's built-in Mail program and the open-source add on [GPGTools](https://gpgtools.org) (https://gpgtools.org) is also a workable toolset for using PGP-encrypted email on Macs. Microsoft Outlook works best with a commercial add-on called [gpg4o](https://www.giepa.de/products/gpg4o/?lang=en) (https://www.giepa.de/products/gpg4o/?lang=en) to use PGP encryption with Microsoft Exchange. [Mailvelope](https://www.mailvelope.com) https://www.mailvelope.com) is a powerful and well-audited PGP add-on for web browsers that allows you to use PGP encryption with almost any webmail service, including Gmail. Because of its position inside a web browser, its security is generally less assured than the other PGP options above, but is adequate for many organizations, especially when coupled with strong web browser profile controls and careful use of browser extensions as well as other safe browsing practices. Note that as of mid-2017, use of Mailvelope in Firefox is not recommended due to a security vulnerability discovered in it. If you want to use Mailvelope with Firefox, see [this blog post](https://www.mailvelope.com/en/blog/security-warning-mailvelope-in-firefox) (https://www.mailvelope.com/en/blog/security-warning-mailvelope-in-firefox) for details of how to do so as safely as possible.*
 
-*The most common type of end-to-end encryption is called Pretty Good Privacy (PGP) and has been around for a long time. Consequently there are a lot of ways to use this type of encryption, and it works across many platforms. (It also lacks the ease and strength of some other, more modern encryption schemes.) One major tool for for using PGP encryption with email is the [Mozilla Thunderbird]("https://www.mozilla.org/en-US/thunderbird/") email client and the associated [Enigmail plugin]("https://www.enigmail.net/home/index.php") which works on Windows (with the addition of [GPG4Win]("https://gpg4win.org/"), Mac and Linux). You can find [a guide for the Windows setup at] ("https://securityinabox.org/en/guide/thunderbird/windows"). OSX's built in Mail program and open source add on [GPGTools]("https://gpgtools.org") is also a workable tool set for using PGP-encrypted email on Macs. Microsoft Outlook works best with a commercial add-on called [gpg4o]("https://www.giepa.de/products/gpg4o/?lang=en") to use PGP encryption with Microsoft Exchange. [Mailvelope](https://www.mailvelope.com) is a powerful and well-audited PGP add-on for web browsers that allows you to use PGP encryption with almost any webmail service, including Gmail. Because of its position inside a web browser, its security is generally less assured than the other PGP options above, but is adequate for many organizations, especially when coupled with strong web browser profile controls and careful use of browser extensions as well as other safe browsing practices. Note that as of mid-2017, use of Mailvelope in Firefox is not recommended due to a security vulnerability discovered in it. If you want to use Mailvelope with Firefox, see this blog post for details of how to do so as safely as possible: https://www.mailvelope.com/en/blog/security-warning-mailvelope-in-firefox.*
+*For organizations with more resources, S/MIME is an alternate encryption scheme that works well with a Microsoft Exchange/Outlook environment or with Gmail by installing the [Penango plug-in](https://www.penango.com) (https://www.penango.com) or using [Google's native offering](https://support.google.com/a/answer/6374496) (https://support.google.com/a/answer/6374496), which requires use of the G Suite Enterprise paid services.*
 
-*For organizations with more resources, S/MIME is an alternate encryption scheme that works well with a Microsoft Exchange/Outlook environment or with Gmail by installing the [Penango]("https://www.penango.com") plugin or using [Google's native offering](https://support.google.com/a/answer/6374496), which requires use of the G Suite Enterprise paid services.*
-*Several alternate third-party managed encryption tools for email exist. One popular one is called Virtru (https://virtru.com) is available for Gmail and works best if used only with Gmail users.*
-*Similarly if you are able to transition your email entirely to their platform [ProtonMail]("https://protonmail.com/") is an open source end-to-end encrypted email provider that has implemented common PGP encryption in an easier to use package that solves a lot of key management problems to make secure email more seamless.
+*As alternatives, several third-party-managed encryption tools for email exist. One popular such service is [Virtru](https://virtru.com) (https://virtru.com); it is available for Gmail and works best if used only with Gmail users. If you are able to transition your email entirely to their platform, [ProtonMail](https://protonmail.com/) (https://protonmail.com/) is an open source end-to-end encrypted email provider that has implemented common PGP encryption in a package that is easier to use than the toolsets named above and solves a lot of key management problems to make secure email more seamless for users.
 
-* Google's S/MIME option, ProtonMail and the Virtru service are  end-to-end encryption offerings but also function with a strong trust dependency on the vendor to produce, manage and swap encryption keys for seamless emailing. If you are interested in these solutions, be aware that you are entering into a high-trust relationship with the vendor. If wanting to implement any encryption scheme mentioned here for your email, you will need to talk to your technical support provider and be prepared to invest time and resources into planning, implementation, and training.*
+*Google's S/MIME option, ProtonMail and Virtru are end-to-end encryption offerings that function with a strong trust dependency on the vendor to produce, manage, and swap encryption keys for seamless emailing. If you are interested in these solutions, be aware that you are entering into a high-trust relationship with the vendor. If wanting to implement any encryption scheme mentioned here for your email, you will need to talk to your technical support provider and be prepared to invest time and resources into planning, implementation, and training.*
diff --git a/8_gsuite_security_checklist.md b/8_gsuite_security_checklist.md
index 0b37182b61b4aa106a8463b8b362469469e6264c..058df36659146b0b5aff91b135591b7cdc8be8a6 100644
--- a/8_gsuite_security_checklist.md
+++ b/8_gsuite_security_checklist.md
@@ -2,103 +2,113 @@
 document set: DRAFT DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
 title: G Suite Security Checklist
 author: Jonah Silas Sheridan, Lisa Jervis for Information Ecology
-last modified: 10/11/2017
-version: 2.0, DRAFT NOT FOR FOR PUBLIC USE
+last modified: 10/27/2017
+version: 2.0, PEER REVIEWED
 ---
 
 # G Suite Security Checklist
 
 ## Introduction
 
-*This checklist comes from the Weathering the Storms toolkit, which contains wraparound documentation including an introduction, frequently asked questions, and a glossary where you can look up any terms that are unfamiliar to you. This is a community-driven document set with the latest version always at https://ecl.gy/sec-check. We welcome your feedback via RoadMap, or our contact form at https://iecology.org/contact/.*
+*This checklist comes from the Weathering the Storms toolkit, which contains wraparound documentation including an [introduction](1_checklist_introduction.md), [frequently asked questions](C_FAQ.md), and a [glossary](A_glossary.md) where you can look up any terms that are unfamiliar to you. This is a community-driven document set with the latest version always at [https://ecl.gy/sec-check](https://ecl.gy/sec-check). We welcome your feedback via RoadMap, or our contact form at [https://iecology.org/contact/](https://iecology.org/contact/).*
 
-As of this document's creation (in 2017) a significant portion of U.S. non-profits rely on Google's free online "cloud" applications (Gmail, Google Docs/Sheets, GDrive, and Google Calendar among them) to do their work. While many groups still depend on personal or other Gmail accounts made for their work (any login that ends with @gmail.com) for access to these services, Google also offers G Suite: a version of these tools suited for use in organizations. G Suite provides significant advantages over personal accounts, including organizational email addresses using your chosen domain name (the part of an email address after the @ sign), administrative controls, advanced settings, and 24/7 support 24/7 tech support for use of the tools. These features can improve your organization's technology in many areas, including helping you better secure your information by providing tighter management, control, and monitoring of your systems and how they are used.
+As of this document's creation (in 2017) a significant portion of U.S. non-profits rely on Google's free online applications (Gmail, Google Docs/Sheets, GDrive, and Google Calendar among them) to do their work. While many staff access these services through individual Gmail accounts (any username that ends with @gmail.com), or a link between their work email address and an existing individual account, Google also offers G Suite: a version of these tools suited for use in organizations. G Suite provides significant advantages over individual accounts, including organizational email addresses using your chosen domain name (the part of an email address after the @ sign), administrative controls, advanced settings, 24/7 tech support for use of the tools. These features can improve your organization's technology in many areas, including helping you better secure your information by providing tighter management, control, and monitoring of your systems and how they are used.
 
-Because of these advantages, and the fact that Google offers the Basic version of G Suite for free to registered U.S. 501c3 organizations, setting it up for your organization is highly recommended for all U.S. organizations that already rely on Google's web-based tools. While there are definitely risks associated with providing any third-party corporation access to all your information and the metadata about how and where you and your team use it--especially a corporation in the business of data mining and advertisement targeting--if you are already accepting this risk by relying on Google's tools, G Suite will at least help you secure that information from others. You can begin the sign up process and read about the offerings at https://www.google.com/nonprofits/products/apps-for-nonprofits.html.
+Because of these advantages, and the fact that Google offers the Basic version of G Suite for free to registered U.S. 501c3 organizations, setting it up for your organization is highly recommended for all eligible organizations that already rely on Google's web-based tools. While there are definitely risks associated with providing any third-party corporation access to all your information and the metadata about how and where you and your team use it--especially a corporation in the business of data mining and advertisement targeting--if you are already accepting this risk by relying on Google's tools, G Suite will at least help you secure that information from others. You can begin the sign-up process and read about the offerings at https://www.google.com/nonprofits/products/apps-for-nonprofits.html.
 
-***Please note that this document should in no way be read as an explicit endorsement of G Suite or other Google tools for movement-building, activist, or other non-profit organizations. There are many other tools--with a range of associated security and operational tradeoffs--that can meet the needs that G Suite fills. If any previous security risk assessment has shown that the vulnerabilities and risks associated with Google's tools are unacceptable for your organization, or for any reason having strong trust relationship with a U.S.-based corporation is concerning to you, this checklist is not relevant to you and it is not a recommendation to rethink your existing decisions.***
+***Please note that this document should in no way be read as an explicit endorsement of G Suite or other Google tools for movement-building, activist, or other non-profit organizations. There are many other tools--with a range of associated security and operational tradeoffs--that can meet the needs that G Suite fills. If any previous security risk assessment has shown that the vulnerabilities and risks associated with Google's tools are unacceptable for your organization, or if for any reason having strong trust relationship with a U.S.-based corporation is concerning to you, this checklist is not relevant to you and it is not a recommendation to rethink your existing decisions.***
 
-For those that have already adopted G Suite in the non-profit sector, the checklist that follows offers direction on how to set up and use the administrative controls offered by the free G Suite Basic platform to harden your organizational G Suite account and improve your overall digital security level. (In this context, "harden" means to reduce the points of vulnerability of a system by turning off or disabling functionality that is not needed.) Note that, as indicated in the associated description, many of these tasks are specific implementations of checklist items from elsewhere in this set.
+For those in the non-profit sector that have already adopted G Suite, the checklist that follows offers direction on how to set up and use the administrative controls offered by the free G Suite Basic platform to harden your organizational G Suite account and improve your overall digital security level. (In this context, "harden" means to reduce the points of vulnerability of a system by turning off or disabling functionality that is not needed.) Note that, as indicated in the associated descriptions, many of these tasks are specific implementations of checklist items from elsewhere in this set.
 
-It is also noted that there are additional controls and security features available using other editions of G Suite, including G Suite for Business and G Suite Enterprise. While neither of these other editions are provided for free (and for a system that is priced by the user, costs can add up quickly), the additional functionality provided has tremendous value for organizations that have additional security needs stemming from items including but not limited to compliance requirements, the presence of highly sensitive data, or a wish to deploy tightly controlled mobile devices. You can review edition differences at https://G Suite.google.com/compare-editions/; if you're unsure which is best for your needs, ask for help from your technical support provider.
+Please also note that there are additional controls and security features available using other editions of G Suite, including G Suite for Business and G Suite Enterprise. While neither of these other editions are provided for free (and for a system that is priced by the user, costs can add up quickly), the additional functionality provided has tremendous value for organizations that have additional security needs stemming from items including but not limited to compliance requirements, the presence of highly sensitive data, or a wish to deploy tightly controlled mobile devices. You can review edition differences at [https://gsuite.google.com/compare-editions/](https://gsuite.google.com/compare-editions/); if you're unsure which is best for your needs, ask for help from your technical support provider.
 
 ## Key
+
 :heavy_check_mark: Record actions  
-:rocket: Implementation management overhead rating   
+:rocket: Implementation management overhead   
 :wrench: Technical skill level required
 :fire: Work flow disruption for staff
 
 ## G Suite Configuration Security Tasks
+
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Make a plan, preferably before deploying G Suite, detailing how your information is used by your staff, volunteers, and others, to ensure that you understand your security needs and can configure the tools correctly.**
 :rocket::rocket::rocket::wrench::fire:
-*G Suite is a powerful platform with a lot of moving parts and a lot of possible configurations. As with all tools, the more time and energy you put into understanding the different users and user types you have and what features they need to use, the more effective your implementation of security controls will be. First read through this checklist to familiarize yourself with some practices you may want to employ in your G Suite setup. Then make a list of all the different groups of people you have in your organization that will be using G Suite; a typical list might be: full-time staff, part-time staff, volunteers, and board members). Then think about and list how each of those groups will need each of the various tools that are part of G Suite: e.g., to send email, to edit documents, to access your shared contacts list, to maintain a shared calendar, and so on. Does any single group need a tool that no one else needs? Conversely, does any group have no need for a tool that everyone else uses? Also think about any shared roles where multiple people need access to the same identity, email box, or set of documents -- such as an email account used to send or receive invoices, or a set of documents used for a volunteer-run hotline. Google has produced a lot of documentation on how to plan your G Suite deployment (see https://support.google.com/a/answer/4514329); it can help you understand the applications and settings available to you in your configuration process. At a minimum, having a well-crafted plan will guide you as you step through the administrative tools at https://admin.google.com and also help you formulate specific questions for G Suite support as you go through the setup.*
+*G Suite is a powerful platform with a lot of moving parts and a lot of possible configurations. As with all tools, the more time and energy you put into understanding the different users and user types you have and what features they need to use, the more effective your implementation of security controls will be. First read through this checklist to familiarize yourself with some practices you may want to employ in your G Suite setup. Then make a list of all the different groups of people you have in your organization that will be using G Suite; a typical list might be: full-time staff, part-time staff, volunteers, and board members. Then think about and list how each of those groups will need each of the various tools that are part of G Suite: e.g., to send email, to edit documents, to access your shared contacts list, to maintain a shared calendar, and so on. Does any single group need a tool that no one else needs? Conversely, does any group have no need for a tool that everyone else uses? Also think about any shared roles where multiple people need access to the same identity, email box, or set of documents -- such as an email account used to send or receive invoices, or a set of documents used for a volunteer-run hotline. Google has produced a lot of [documentation on how to plan your G Suite deployment](https://support.google.com/a/answer/4514329) (https://support.google.com/a/answer/4514329); reading through it will help you understand the applications and settings available to you in your configuration process. At a minimum, having a well-crafted plan will guide you as you step through the administrative tools at [https://admin.google.com](https://admin.google.com) and also help you formulate specific questions for G Suite support as you go through the setup.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; **Create a single, dedicated account with full administrative control of G Suite ("Super Admin" permissions) and do not associate it with with any individual's email address; provide a recovery email address or phone number that is controlled by your organization or a trusted tech support provider and not an individual employee. Assign other administrative permissions appropriately.**
 :rocket::rocket::wrench::wrench::fire::fire:
-*While convenient, giving everyday user accounts permission to administer your G Suite creates risk. Doing so can mean that the loss or theft of a person's device, or a breach of their password, could put all of your organization's information at risk. Instead, sign up with or create a unique email address (like GSuite@yourdomain.org, replacing yourdomain.org with your organization's domain name) for this purpose; do not use it for anything else. Give this account "Super Admin" permissions (which means full control over your G Suite setup, including access to all calendars and accounts), remove those permissions from any other accounts (note that the account you use to perform your G Suite setup will have Super Admin permissions assigned automatically), and store the password in a safe way such as a well-configured password manager (see the authentication checklist for more information) or safety deposit box, using it only when you need to change settings in G Suite. You will be asked to give recovery email or phone number in case of a lost password. This email or phone should be controlled by your organization or trusted delegate such as a tech support provider or affiliate organization rather than by an individual employee. You can find instructions for giving or taking away Super Admin permissions for a user at https://support.google.com/a/answer/172176. Directions for setting up a recovery phone number or email are at https://support.google.com/accounts/answer/183723.*
+*While convenient, giving everyday user accounts permission to administer your G Suite creates risk. Doing so can mean that the loss or theft of a person's device, or a breach of their password, could put all of your organization's information at risk. Instead, sign up with or create a unique email address (like GSuite@yourdomain.org, replacing yourdomain.org with your organization's domain name) for this purpose; do not use it for anything else. Give this account "Super Admin" permissions (which means full control over your G Suite setup, including access to all calendars and accounts), remove those permissions from any other accounts (note that the account you use to perform your G Suite setup will have Super Admin permissions assigned automatically), and store the password in a safe way such as a well-configured password manager (see the [Password and Authentication Security checklist](5_authentication_checklist.md) for more information) or safety deposit box, using it only when you need to change settings in G Suite. You will be asked to give a recovery email or phone number in case of a lost password. This email or phone should be controlled by your organization or trusted delegate such as a tech support provider or affiliate organization rather than by an individual employee. You can find instructions for giving or taking away Super Admin permissions for a user at [https://support.google.com/a/answer/172176](https://support.google.com/a/answer/172176). Directions for setting up a recovery phone number or email are at [https://support.google.com/accounts/answer/183723](https://support.google.com/accounts/answer/183723).*
 
-*Other levels of administrative control can be assigned according to your organizational needs. For example, you could give a tech support provider Help Desk Admin permissions, which will allow them to reset passwords for people but not create users or groups. You can give control of that account to someone who does tech support without giving them total control of your systems. You can review the built-in administrative groups and find a link on how to make custom roles of your own at https://support.google.com/a/answer/2405986. Creating new users is the most common administrative task in many organizations and, although it may be tempting to delegate this permission to a normal operating account, gaining the power to create a user and add it to groups effectively gives a malicious actor access to all of your files until the user they create is identified and disabled, so it is best to give this permission only to specialized administrative accounts.*
+*Other levels of administrative control can be assigned according to your organizational needs. For example, you could give a tech support provider Help Desk Admin permissions, which will allow them to reset passwords for people but not create users or groups. You can give control of that account to someone who does tech support without giving them total control of your systems. You can review the built-in administrative groups and find a link on how to make custom roles of your own at [https://support.google.com/a/answer/2405986](https://support.google.com/a/answer/2405986). Creating new users is the most common administrative task in many organizations and, although it may be tempting to delegate this permission to a normal operating account, gaining the power to create a user and add it to groups effectively gives a malicious actor access to all of your files until the user they create is identified and disabled, so it is best to give this permission only to specialized administrative accounts.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Enforce password length rules.**
 :rocket::wrench::fire::fire:
-*G Suite allows you to set minimum (and maximum) password lengths. Setting a minimum length of at least 12 characters helps guard against easily guessable passwords. Instructions on getting this up are at https://support.google.com/a/answer/139399?hl=en. Note that helping people to produce long passphrases that are a combination of words that have never appeared together (perhaps with some character substitutions) and that don't include any information about that person will allow you to push this minimum length even higher so that guessing a password becomes virtually impossible. <include this tip in passwords doc, and/or replace this sentence with a reference to the password checklist?>*
+*G Suite allows you to set minimum (and maximum) password lengths. Setting a minimum length of at least 12 characters helps guard against easily guessable passwords. Instructions on getting this up are at [https://support.google.com/a/answer/139399?hl=en](https://support.google.com/a/answer/139399?hl=en). See the [Password and Authentication Security checklist](5_authentication_checklist.md) for more resources to help people create strong passwords.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Use the organizational units functionality in G Suite to make groupings of user accounts or devices, and give them the minimum level of access required to do their work.**
 :rocket::rocket::wrench::wrench::fire::fire:
-*Giving all users ability to use all the G Suite tools in any way they want invites security risk for your organization. Instead, you should practice the security concept of "least authority"--meaning you give users only the minimum access that is required for them to do their work. For example, you may want have volunteers enter information into Google Sheets but not send email from accounts with your domain name. To allow you to control access in this way efficiently rather than on a per-user basis, G Suite provides a structure called an organizational unit. Organizational units allow you to categorize users or devices into groups, and then assign policies to each of those groups. These policies cover things like the ability to access specific tools or to apply certain settings to their accounts. You can read an overview of applying policies at https://support.google.com/a/topic/1227584. An article about organizational structures is at https://support.google.com/a/answer/4352075 and instructions for creating units is at https://support.google.com/a/answer/182537.*
-*Once you have created these units, you can use them to control access to services as described at https://support.google.com/a/answer/182442 or to apply specific settings about those services as described at https://support.google.com/a/answer/2655363.*
+*Giving all users ability to use all the G Suite tools in any way they want invites security risk for your organization. Instead, you should practice the security concept of "least authority"--meaning you give users only the minimum access that is required for them to do their work. For example, you may want have volunteers enter information into Google Sheets but not send email from accounts with your domain name. To allow you to control access in this way efficiently rather than on a per-user basis, G Suite provides a structure called an organizational unit. Organizational units allow you to categorize users or devices into groups, and then assign policies to each of those groups. These policies cover things like the ability to access specific tools or to apply certain settings to their accounts. You can read an overview of applying policies at [https://support.google.com/a/topic/1227584](https://support.google.com/a/topic/1227584). An article about organizational structures is at [https://support.google.com/a/answer/4352075](https://support.google.com/a/answer/4352075) and instructions for creating units is at [https://support.google.com/a/answer/182537](https://support.google.com/a/answer/182537).*
+
+*Once you have created these units, you can use them to control access to services as described at [https://support.google.com/a/answer/182442](https://support.google.com/a/answer/182442) or to apply specific settings about those services as described at [https://support.google.com/a/answer/2655363](https://support.google.com/a/answer/2655363).*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Use Google Groups and Team Drive features to provide appropriate access to files for different groups of users, and to ensure that your organization always controls its own information.**
 :rocket::rocket::wrench::fire::fire::fire:
-*Historically one of the challenges of managing your organization's files using Google Drive has been the risk of loss of access to key documents when employees or volunteers leave the team, as well as the lack of ability to prevent sensitive information from being shared more widely than it should be. By setting up one or more Team Drives (as described at https://support.google.com/a/answer/7212025) you can ensure that the Super Admin for your G Suite domain always has access to the files that are stored there. You can also apply permissions (as described in this article https://support.google.com/a/answer/7337635?hl=en) to a Team Drive to allow only the minimum access needed. For example, you might have organizational policy documents that everyone needs to be able to view and only certain staff members should be able to change. You can give these permissions by individual email address if your organization is small enough, and, for larger groups and easier management, you can create groups in Google Groups (https://support.google.com/a/answer/33329) and give appropriate permissions to the Group's email address. This way when a new person comes on board or leaves a team or the organization, you need only to take them out of the relevant Google Groups or Team Drives to also remove their account's permissions to files. Note that by locking down your files in this way, your system becomes much less widely accessible to staff, and someone will need to be in charge of and regularly available for changes to permissions and group settings as needed. The increased control of your files is well worth this overhead. (Note also that Team Drive permissioning carries other operational tradeoffs around folder structure: it may limit who can create folders and move files around, which can benefit the clarity with which files are organized and may also run counter to staff expectations and be quite disruptive. Also note that more expensive versions of GSuite also include Google Vault which gives you a more robust set of tools for logging, archiving and review of organizational documents for compliance or other reasons as described at https://support.google.com/a/answer/2462365)*
+*Historically, one of the challenges of managing your organization's files using Google Drive has been the risk of loss of access to key documents when employees or volunteers leave the team, as well as the lack of ability to prevent sensitive information from being shared more widely than it should be. By setting up one or more Team Drives (as described at [https://support.google.com/a/answer/7212025](https://support.google.com/a/answer/7212025)), you can ensure that the Super Admin for your G Suite domain always has access to the files that are stored there. You can also apply permissions (as described at [https://support.google.com/a/answer/7337635?hl=en](https://support.google.com/a/answer/7337635?hl=en)) to a Team Drive to allow only the minimum access needed. For example, you might have organizational policy documents that everyone needs to be able to view and only certain staff members should be able to change. You can give these permissions by individual email address if your organization is small enough, and, for larger groups and easier management, you can [create Google Groups](https://support.google.com/a/answer/33329) ((https://support.google.com/a/answer/33329)) and give appropriate permissions to the Group's email address. This way when a new person comes on board or leaves a team or the organization, you need only to take them out of the relevant Google Groups or Team Drives to also remove their account's permissions to files. Note that by locking down your files in this way, your system becomes much less widely accessible to staff, and someone will need to be in charge of and regularly available for changes to permissions and group settings as needed. The increased control of your files is well worth this overhead.
+
+It is also useful to be aware that Team Drive permissioning carries other operational tradeoffs around folder structure: it may limit who can create folders and move files around, which can benefit the clarity with which files are organized, but may also run counter to staff expectations and be quite disruptive. More expensive versions of G Suite also include Google Vault, which gives you a more robust set of tools for logging, archiving, and review of organizational documents for compliance or other reasons as described at [https://support.google.com/a/answer/2462365](https://support.google.com/a/answer/2462365).*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Turn on two-factor authentication, and, in conjunction with appropriate planning, training, and support, enforce it for all users. Use Google Authenticator codes or universal two-factor (U2F) hardware keys as a second factor rather than text message codes, and make sure staff reports immediately if their second factor is lost or stolen.**
 :rocket::rocket::rocket::wrench::wrench::wrench::fire::fire::fire:
-*One of the advantages of G Suite as a platform is its support for two-factor authentication, whereby users to prove their identity at login with two things that they know or control: 1) a password and 2) a hardware key, code produced by a program running on their computer or phone, a text message code, a phone call to a cell or landline, or even a list or codes they have printed out. Unless your organization owns and manages the cell phones that would be receiving a text message <or phone call? is the problem with the SMS protocol, the SIM card, or both?>, it is strongly advised that all staff use a non-text-message-based <phone number based? see above Q> second factor when logging into Google services, especially for any accounts with Super Admin or other administrative rights to your G Suite domain. This is because it can be surprisingly easy for someone to take over control of a cell number via social engineering and/or fraud (see https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-could-be-hijacked-identity-thief, https://techcrunch.com/2016/06/10/how-activist-deray-mckessons-twitter-account-was-hacked/, and https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/ for more information).*
+*One of the advantages of G Suite as a platform is its support for two-factor authentication, whereby users prove their identity at login with two things that they know or control: 1) a password and 2) a hardware key, code produced by a program running on their computer or phone, a text message code, a phone call to a cell or landline, or even a list or codes they have printed out. Unless your organization owns and manages the cell phones that would be receiving a text message or call, it is strongly advised that all staff use a second factor that does not rely on a text message or call to a cell phone when logging into Google services, especially for any accounts with Super Admin or other administrative rights to your G Suite domain. This is because it can be surprisingly easy for someone to take over control of a cell number via social engineering and/or fraud (see [https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-could-be-hijacked-identity-thief](https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-could-be-hijacked-identity-thief), [https://techcrunch.com/2016/06/10/how-activist-deray-mckessons-twitter-account-was-hacked/](https://techcrunch.com/2016/06/10/how-activist-deray-mckessons-twitter-account-was-hacked/), and [https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/](https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/) for more information).*
 
-*There are several alternatives to text messaging for this purpose. Google Authenticator is available in the Google Play store for Android phones, in the App Store for iOS devices, and as a Chrome extension for use in the browser. The most common U2F hardware key is called a Yubikey and can be ordered at: https://www.yubico.com/gafw/. Using this link and logging into your G Suite admin account will allow you to order up to 50 keys at the half-price cost of $9 each.*
-*Because of the choices available, the impact of this change on staffs' daily work, and the consequences of disrupted access to G Suite accounts, careful planning for the rollout of two-factor authentication is essential. Furthermore, enforcing two-factor authentication for all users requires each staff member to participate in this rollout in very specific ways. Refer to all the information and resources below to understand the scope of necessary planning.*
+*There are several alternatives to text messaging for this purpose. Google Authenticator is available in the Google Play store for Android phones, in the App Store for iOS devices, and as a Chrome extension for use in the browser. The most common U2F hardware key is called a Yubikey and can be ordered at: [https://www.yubico.com/gafw/](https://www.yubico.com/gafw/). Using this link and logging into your G Suite admin account will allow you to order up to 50 keys at the half-price cost of $9 each.*
 
-*Information about setup, as well as links to training materials for staff, is detailed in this document: https://support.google.com/a/answer/175197. Have staff print backup codes (see directions here: https://support.google.com/accounts/answer/1187538) so that they can still get into their account if their phone or hardware key is lost or stolen. Although those backup codes will allow them keep working, it is important to train users to report a lost second factor or set of backup codes to whomever is responsible for administration of your G Suite domain. Once reported lost or stolen, a security key MUST be revoked (https://support.google.com/a/answer/2537800#seckey), backup codes MUST be regenerated by the user (https://support.google.com/accounts/answer/1187538), or a Google Authenticator app MUST be removed as a second factor to preserve your security levels. Be aware that separate passwords for applications such as email or calendaring clients that do not support the two-factor process will become necessary, and you will want to be sure you help staff create those as outlined in this document: https://support.google.com/a/answer/1032419.*
+*Because of the choices available, the impact of this change on staff members' daily work, and the consequences of disrupted access to G Suite accounts, careful planning for the rollout of two-factor authentication is essential. Furthermore, enforcing two-factor authentication for all users requires each staff member to participate in this rollout in very specific ways. Refer to all the information and resources below to understand the scope of necessary planning.*
 
-*You can also use the Advanced Security Settings, which can be applied to all of your users, or any group of users in an organizational unit, to require that two-factor authentication is set up within a certain amount of time after a user's first login. Although this may put a strain on technical support resources, it is highly recommended. Directions to enforce two-factor authentication can be found at https://support.google.com/a/answer/2548882.*
+*Information about setup, as well as links to training materials for staff, is detailed in this document: [https://support.google.com/a/answer/175197](https://support.google.com/a/answer/175197). Have staff print backup codes (see directions: [https://support.google.com/accounts/answer/1187538](https://support.google.com/accounts/answer/1187538) so that they can still get into their account if their phone or hardware key is lost or stolen. Although those backup codes will allow them keep working, it is important to train users to report a lost second factor or set of backup codes to whoever is responsible for administration of your G Suite domain. Once reported lost or stolen, a security key* ***must*** *be revoked ([https://support.google.com/a/answer/2537800#seckey](https://support.google.com/a/answer/2537800#seckey)), backup codes* ***must*** *be regenerated by the user ([https://support.google.com/accounts/answer/1187538](https://support.google.com/accounts/answer/1187538)), or a Google Authenticator app* ***must*** *be removed as a second factor to preserve your security levels. Be aware that separate passwords for applications such as email or calendaring clients that do not support the two-factor process will become necessary, and you will want to be sure you help staff create those as outlined in this document: [https://support.google.com/a/answer/1032419](https://support.google.com/a/answer/1032419).*
 
-*Note: A more general version of this recommendation can be found in the Passwords and Authentication Safety Checklist in this document set. Two-factor authentication is a best practice for use with any service or tool that supports it, and each will have its own set of options available--and planning steps--for you and your staff to consider.*
+*You can also use the Advanced Security Settings, which can be applied to all of your users, or any group of users in an organizational unit, to require that two-factor authentication is set up within a certain amount of time after a user's first login. Although this may put a strain on technical support resources, it is highly recommended. Directions to enforce two-factor authentication can be found at [https://support.google.com/a/answer/2548882](https://support.google.com/a/answer/2548882).*
+
+*Note: A more general version of this recommendation can be found in the [Password and Authentication Safety Checklist](5_authentication_checklist.md) in this document set. Two-factor authentication is a best practice for use with any service or tool that supports it, and each will have its own set of options available--and planning steps--for you and your staff to consider.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Implement controls that make it difficult for anyone to spoof email from your domain.**
 :rocket::rocket::rocket::wrench::wrench::wrench::wrench::fire::fire:
-*Google has produced a strong set of tools to allow other email systems to verify that email coming from your G Suite domain is in fact yours, preventing spoofed emails. (Email spoofing is the creation of email with a forged "from" address, generally sent with the intent to deceive the recipient.) Using them will make it very hard for your email addresses to be abused for phishing or other attacks against external parties, as well as faked internally. These tools use the latest Internet standards called Domainkeys Identified Mail (DKIM), Sender Policy Framework (SPF) records, and the associated Domain-based Message Authentication, Reporting & Conformance (DMARC) records to do this. Documentation that will guide you through setting them all up is at https://support.google.com/a/topic/4388154.*
+*Google has produced a strong set of tools to allow other email systems to verify that email coming from your G Suite domain is in fact yours, preventing spoofed emails. (Email spoofing is the creation of email with a forged "from" address, generally sent with the intent to deceive the recipient.) Using them will make it very hard for your email addresses to be abused for phishing or other attacks against external parties, as well as faked internally. These tools use the latest Internet standards called Domainkeys Identified Mail (DKIM), Sender Policy Framework (SPF) records, and the associated Domain-based Message Authentication, Reporting & Conformance (DMARC) records to do this. Documentation that will guide you through setting them all up is at [https://support.google.com/a/topic/4388154](https://support.google.com/a/topic/4388154).*
 
-*Setting up DKIM, SPF, and DMARC is a highly technical set of tasks that involves your Domain Name Servers (DNS) in addition to Google. Your DNS may not be hosted at Google and so require a different login; the management tools and may not have an easy interface to work within. It may be more appropriate to assign this set of tasks to your tech support provider than to do it yourself.*
+*Setting up DKIM, SPF, and DMARC is a highly technical set of tasks that involves your Domain Name Servers (DNS) in addition to Google. Your DNS may not be hosted at Google and so may require a different login; the management tools and may not have an easy interface to work within. It may be more appropriate to assign this set of tasks to your tech support provider than to do it yourself.*
 
-*SPF records identify which mail servers are permitted to send email on behalf of your domain. Be aware that setting this up requires identifying **all** *the services that are currently sending email on your behalf (which could be databases, mass mailing tools, email list hosts, fundraising tools, and more); incorrect configurations can cause your email to be incorrectly marked as spam. Determining this list carefully is critical to implementing this recommendation in a way that does not interrupt ongoing operations. "Hard fail” settings (records ending in "-all") are preferred for SPF records wherever possible, but be careful, as this can cause email bounces if your records are not carefully tuned. Once set up correctly, however, you will need to maintain this list and make changes any time your organization adopts any other tools that send email from the same domain as your email addresses. Other that these maintenance steps, this should be invisible in operation.*
+*SPF records identify which mail servers are permitted to send email on behalf of your domain. Be aware that setting this up requires identifying* ***all*** *the services that are currently sending email on your behalf (which could be databases, mass mailing tools, email list hosts, fundraising tools, and more); incorrect configurations can cause your email to be incorrectly marked as spam. Determining this list carefully is critical to implementing this recommendation in a way that does not interrupt ongoing operations. "Hard fail” settings (records ending in "-all") are preferred for SPF records wherever possible, but be careful, as this can cause email bounces if your records are not carefully tuned. Once set up correctly, however, you will need to maintain this list and make changes any time your organization adopts any other tools that send email from the same domain as your email addresses. Other than these maintenance steps, this should be invisible in operation.*
 
-*A more general version of this recommendation can be found in the Email Safety Checklist in this document set. It is more easily set up in an integrated <same Q as in the email list--what does this mean?> platform such as G Suite than in many other environments, so here is rated slightly lower in difficulty and skill required.*
+*A more general version of this recommendation can be found in the [Email Safety Checklist](7_email_safety_checklist) in this document set. It is more easily set up in G Suite than in many other environments, so here is rated slightly lower in difficulty and skill required.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Disable users' ability to set up automatic email forwarding on their account, so that any sensitive internal emails don't end up traveling insecurely to other email accounts or remain in less-secured email systems that are vulnerable to attack.**
 :rocket::wrench::fire:
-*Although it can be handy for people to be able to forward their organizational email automatically to personal or other email accounts, your organization has no control over how that email travels and how secured it is once it gets there. By allowing automatic email forwarding to other systems, you create a point of potential disclosure for internal conversations that would be otherwise locked into Google's secured infrastructure and (assuming you follow this checklist in full) protected by strong passwords and two-factor authentication. This is a simple setting that can be applied to all users or a set of users in an Organizational Unit as detailed at https://support.google.com/a/answer/2491924. Note this does not prevent a user from emailing copy and pasted emails, screenshots, or downloaded copies of an email outside of your organization so is best coupled with clear policies and guidelines in this area.*
+*Although it can be handy for people to be able to forward their organizational email automatically to personal or other email accounts, your organization has no control over how that email travels and how secured it is once it gets there. By allowing automatic email forwarding to other systems, you create a point of potential disclosure for internal conversations that would be otherwise locked into Google's secured infrastructure and (assuming you follow this checklist in full) protected by strong passwords and two-factor authentication. This is a simple setting that can be applied to all users or a set of users in an Organizational Unit as detailed at [https://support.google.com/a/answer/2491924](https://support.google.com/a/answer/2491924). Note this does not prevent a user from forwarding emails manually, emailing copy and pasted emails, screenshots, or downloaded copies of an email outside of your organization, so is best coupled with clear policies and guidelines in this area.*
+
+:heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Change the default behavior of the "Get sharable link" feature.**
+:rocket::wrench::fire:
+*Unless you change the default behavior of your G Suite, whenever anyone clicks "Get sharable link" on a folder or file, they will create a link that is open to anyone, without needing to sign into a Google account. You can and should change this default behavior so that "Get sharable link" can be used to copy-paste a document link without changing the existing permissions on the item. Instructions for finding these settings are at [https://support.google.com/a/answer/60781?hl=en](https://support.google.com/a/answer/60781?hl=en); under Link Sharing, choose "OFF." This setting will not prevent files and folders from being shared more widely by intentionally changing the item's permissions via the "Share" button.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Educate your staff on file sharing, including the higher security of sharing by email address and risks associated with sharing files by link.**
 :rocket::rocket::wrench::fire:
-*All users should be trained on the exact options available to them for sharing files in G Suite both with coworkers and external partners. This help document provides a good overview: https://support.google.com/drive/answer/2494822. Though this article is clear, helpful, and very suitable for end users, document sharing and collaboration workflows can be complex; it is recommended to document some guidelines based on your organization's specific ways of working and then offer in-person or webinar trainings, with live practice, to develop shared understanding and strong usage practices among staff.*
+*All users should be trained on the exact options available to them for sharing files in G Suite both with coworkers and external partners. This help document provides a good overview: [https://support.google.com/drive/answer/2494822](https://support.google.com/drive/answer/2494822). Though this article is clear, helpful, and very suitable for end users, document sharing and collaboration work flows can be complex; it is recommended to document some guidelines based on your organization's specific ways of working and then offer in-person or webinar trainings, with live practice, to develop shared understanding and strong usage practices among staff.*
 
-*Although it is very easy to click the "Get shareable link" on a file or folder and send it to someone for collaboration, there are risks associated with this way of sharing. By default <can this default behavior be changed in the NPO version? it is in our paid version i am pretty sure, 'cause i think we changed it>, clicking "Get shareable link" will create a link that is open to anyone, without needing to sign into a Google account. It is always better to avoid this sharing setting, as you cannot control that link after it has left your hands. The tightest control over sharing is exercised by clicking the "Share" button and filling out the "People" field with email addresses associated with Google-based accounts, whether inside your domain or not. When sharing in this way, you can copy the link from your address bar and share it safely, as it will remain accessible only to those with whom it has been shared.*
+*The tightest control over sharing is exercised by clicking the "Share" button and filling out the "People" field with email addresses associated with Google-based accounts, whether inside your domain or not. When sharing in this way, you can copy the link from your address bar and share it safely, as it will remain accessible only to those with whom it has been shared. (Unless your G Suite's default behavior has been changed as detailed in the above item, clicking "Get sharable link" will change the permissions so that anyone with the link can view, without logging in.)*
 
-*Situations will inevitably arise where a broadly accessible link is necessary (for example, if your external collaborator does not have a Google account, or you want to cast a wide net for feedback). Be sure to consider the sensitivity of the document in these situations, and, when you choose to share this way, watch out for accidentally making a file public--be sure to choose "anyone with the link" instead. You should also train users set an expiration date on shared links, even if it is far in the future. This will ensure that the file or folder in question eventually becomes unshared. Last but not least, it is important to choose the most limited permissions appropriate -- allowing people with the link to only view or comment on a file if they do not need to change its contents.*
+*Situations will inevitably arise where a broadly accessible link is necessary (for example, if your external collaborator does not have a Google account or you want to cast a wide net for feedback). Be sure to consider the sensitivity of the document in these situations, and, when you choose to share this way, watch out for accidentally making a file public--be sure to choose "anyone with the link" instead. You should also train users to set an expiration date on shared links, even if it is far in the future. This will ensure that the file or folder in question eventually becomes unshared. Last but not least, it is important to choose the most limited permissions appropriate--allowing people who do not need to change its contents only to view and comment on a file.*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Make sure someone is assigned to regularly monitor what is happening in G Suite, has time to do so, and knows how to identify and escalate any security incidents or other concerns about abnormal usage.**
 :rocket::rocket::wrench::wrench::fire:
 *Reporting on what is happening with your organizational tools and information over time is an important security practice. This is true for all tools, and an advantage of G Suite is that it makes this kind of reporting more accessible than in other tools. You want one individual or a team tasked with this ongoing monitoring, even if it's an external tech support provider, so that problems are caught quickly. Monitoring should be done on a schedule, no less than a monthly and preferably more often. To sustain this practice, it is essential that the person, team, or external provider is assigned this task via their workplan or scope of work. The goal of monitoring is to find unusual behavior, such as sudden growth in file sets or email activity, so the responsible party should first establish a baseline of normal activity and then look for trends outside of that baseline. Any questionable activity should be investigated with the users whose accounts are involved, or escalated to a tech support professional.*  
 
-*Activity Reports are available inside the administrative console, including use of two-factor authentication, external apps installed, emails sent/received, and file activity in Google Drive. An article describing these basic reports is at https://support.google.com/a/answer/4580176. A broader explanation of all the reporting available to you in G Suite can be found at https://support.google.com/a/answer/6000239.*
+*Activity Reports are available inside the administrative console, including use of two-factor authentication, external apps installed, emails sent/received, and file activity in Google Drive. An article describing these basic reports is at [https://support.google.com/a/answer/4580176](https://support.google.com/a/answer/4580176). A broader explanation of all the reporting available to you in G Suite can be found at [https://support.google.com/a/answer/6000239](https://support.google.com/a/answer/6000239).*
 
-*In addition to this activity monitoring, it is important to regularly review the security settings of your users, especially password strength for any users not enrolled in two-factor authentication, as described here: https://support.google.com/a/answer/2537800#password. Google is continually updating their password-strength rating system in response to leaked passwords and other emerging threats, so a password that is judged strong one week may be judged weak the next. (This is less important for users with two-factor authentication, because in those cases as their password is only half of what is needed to access their account.) When you see a weak password in your systems, it should be changed. If you have regular contact with the user in question, walking them through changing to a better password is the best option. If you don't have regular access or they don't use the systems regularly, you can reset the password (using these directions: https://support.google.com/a/answer/33319?hl=en) so the account is protected and communicate the new password to them via a secure channel; if you don't have a secure channel through which to give them their new password, you can reset the password and let them know that they should go through the "forgot password" process the next time they need to log in (be sure to follow up to make sure the new password they choose is strong enough). If appropriate to your operations and the frequency of their use of the account, you can also suspend the account and reenable it as needed (https://support.google.com/a/answer/33312?hl=en).*
+*In addition to this activity monitoring, it is important to regularly review the security settings of your users, especially password strength for any users not enrolled in two-factor authentication, as described here: [https://support.google.com/a/answer/2537800#password](https://support.google.com/a/answer/2537800#password). Google is continually updating their password-strength rating system in response to leaked passwords and other emerging threats, so a password that is judged strong one week may be judged weak the next. (This is less important for users with two-factor authentication, because in those cases as their password is only half of what is needed to access their account.) When you see a weak password in your systems, it should be changed. If you have regular contact with the user in question, walking them through changing to a better password is the best option. If you don't have regular access or they don't use the systems regularly, you can reset the password (using these directions: [https://support.google.com/a/answer/33319?hl=en](https://support.google.com/a/answer/33319?hl=en)) so the account is protected, and communicate the new password to them via a secure channel; if you don't have a secure channel through which to give them their new password, you can reset the password and let them know that they should go through the "forgot password" process the next time they need to log in (be sure to follow up to make sure the new password they choose is strong enough). If appropriate to your operations and the frequency of their use of the account, you can also suspend the account and reenable it as needed ([https://support.google.com/a/answer/33312?hl=en](https://support.google.com/a/answer/33312?hl=en)).*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Train users not to check the "Don't ask again on this computer" checkbox when using public or other untrusted computers, to logout after using such computers, and to untrust computers that are lost, stolen, or otherwise compromised.**
 :rocket::wrench::fire:
-*This practice will help ensure that all your other efforts to create high barriers to accessing your information are successful. When a user checks the "Don't ask again on this computer" box when logging into G Suite with two-factor authentication, they are telling Google not to ask for a password or second factor for 30 days. In the case of a poorly managed (i.e. not regularly cleaned or reset) computer in a library, Internet café, or other public place, this leaves an account wide open to abuse during that period. Though Google will prompt again for password changes and other sensitive actions, that computer retains the ability to access account information, send emails, and read and edit documents. Trusted computers can always be reviewed, or the trust revoked, within a user's account settings as detailed here: https://support.google.com/accounts/answer/2544838.*
+*This practice will help ensure that all your other efforts to create high barriers to accessing your information are successful. When a user checks the "Don't ask again on this computer" box when logging into G Suite with two-factor authentication, they are telling Google not to ask for a password or second factor for 30 days. In the case of a poorly managed (i.e., not regularly cleaned or reset) computer in a library, Internet café, or other public place, this leaves an account wide open to abuse during that period. Though Google will prompt again for password changes and other sensitive actions, that computer retains the ability to access account information, send emails, and read and edit documents. Trusted computers can always be reviewed, and trust revoked, within a user's account settings as detailed here: [https://support.google.com/accounts/answer/2544838](https://support.google.com/accounts/answer/2544838).*
 
 :heavy_check_mark:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**Install Chrome on all staff computers and set it as the default web browser. Make sure staff know how to keep it updated and that they use Chrome instead of other browsers whenever they are using G Suite tools.**
 :rocket::rocket::wrench::wrench::fire:
-*This practice will help you have strong security between your web browser and G Suite. Because Google controls both things, they have a lot of ways to verify that your connection is well-secured and that newer features like two-factor authentication work well; they can also push out corrected software if they have a security incident in their infrastructure. Generally Chrome will self-update, but you should teach your staff how to recognize when an update is available (as described here: https://support.google.com/chrome/answer/95414). Quitting and reopening the browser will allow it to update to the latest, most secure version.*
+*This practice will help you have strong security between your web browser and G Suite. Because Google controls both things, they have a lot of ways to verify that your connection is well-secured and that newer features like two-factor authentication work well; they can also push out corrected software if they have a security incident in their infrastructure. Generally Chrome will self-update, but you should teach your staff how to recognize when an update is available (as described here: [https://support.google.com/chrome/answer/95414](https://support.google.com/chrome/answer/95414)). Quitting and reopening the browser will allow it to update to the latest, most secure version.*
diff --git a/A_glossary.md b/A_glossary.md
index 77f45eeec580c1ced368126fa639e50cc6ddc35e..38a65370f6da33683dcce97a4bf01a5f0aa15b84 100644
--- a/A_glossary.md
+++ b/A_glossary.md
@@ -2,68 +2,71 @@
 document set: DRAFT DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
 title: Appendix A: Glossary
 author: Jonah Silas Sheridan, Lisa Jervis
-version: "2.0 DRAFT - NOT FOR PUBLIC USE"
-last modified: 10/24/17
+version: "2.0, PEER REVIEWED"
+last modified: 10/27/17
 ---
 
 # Appendix A: Digital Security Glossary
 
+**Add-on**
+See "extension".
+
 **Backup**  
-Regularly updated copies of your digital assets, ideally stored in several different places, so that if access to or integrity of your data is disrupted for any reason (damage to computers due to accident or natural disaster, accidental or malicious deletion of files,etc.), the assets can be restored. Online backup services such as Mozy and CrashPlan are best supplemented by backups stored on organizational equipment with at least one up to date copy in secure offsite storage.  
+Regularly updated copies of your digital assets, ideally stored in several different places, so that if access to or integrity of your data is disrupted for any reason (damage to computers due to accident or natural disaster, accidental or malicious deletion of files, etc.), the assets can be restored. Online backup services such as Mozy and CrashPlan are best supplemented by backups stored on organizational equipment with at least one up-to-date copy in secure offsite storage.  
 
 **Cookies**  
 Small files placed on your computer by websites that you visit; they are used to manage website features such as logins and can also be used to track behavior on the web. While not all cookies are a security risk, if poorly implemented they can expose the information they contain. More information about cookies is available at [http://www.allaboutcookies.org/]("http://www.allaboutcookies.org/").   
 
 **Digital assets**  
-Any and all data electronically stored or used by your organization. This includes your organization's files, website,emails, social media accounts, online banking accounts, etc. Some of these items may be ones that you administer yourself (e.g., the contents of staff hard drives, file repositories stored on servers owned and controlled by your organization); others may be maintained by third-party services on your behalf (e.g., files on Google Drive orBox). Others are services that you participate in that are owned and controlled by others (subject to terms of service), such as organizational Facebook pages.
+Any and all data electronically stored or used by your organization. This includes your organization's files, website, emails, social media accounts, online banking accounts, etc. Some of these items may be ones that you administer yourself (e.g., the contents of staff hard drives, file repositories stored on servers owned and controlled by your organization); others may be maintained by third-party services on your behalf (e.g., files on Google Drive or Box). Others are services that you participate in that are owned and controlled by others (subject to terms of service), such as organizational Facebook pages.
 
 **DKIM records**  
-DomainKeys Identified Mail (DKIM) is a system to protect email from abuse, both from forged sender addresses and from content alteration. The system operates at the server level so requires help from your email provider to setup.  
+DomainKeys Identified Mail (DKIM) is a system to protect email from abuse, both from forged sender addresses and from content alteration. The system operates at the server level so requires help from your email provider to set up.  
 
-**Domain Name System.**  
-The domain name system (DNS) is like a phone book for the Internet. It translates domain names (such as iecology.org or reddit.com) into the numbers (ip addresses) used to find services on the Internet. It can also be used to store other information about your organization's information systems, such as SPF records or DKIM keys.  
+**Domain Name System**  
+The domain name system (DNS) is like a phone book for the Internet. It translates domain names (such as iecology.org or reddit.com) into the numbers (IP addresses) used to find services on the Internet. It can also be used to store other information about your organization's information systems, such as SPF records or DKIM keys.  
 
 **Encryption**  
 A mechanism by which your data scrambled in order to protect it from being read by unauthorized parties. Authorized parties are able to decrypt (i.e., unscramble) it. There are many different ways to encrypt communications and other digital assets.  
 
-**Encryption Key.**  
-An encryption key is a piece of information that you share with an authorized party so they can encrypt and/or decrypt information to or from you. In most cases this information is highly sensitive and needs to be protected however modern encryption schemes allow you to have a “public” key that you can safely share with anyone.  
+**Encryption key**  
+An encryption key is a piece of information that you share with an authorized party so they can encrypt and/or decrypt information to or from you. In most cases this information is highly sensitive and needs to be protected; however, some modern encryption schemes (asymmetric encryption, also known as public key encryption) allow you to have a public key that you can safely share with anyone.  
 
-**Extensions or Add-ons**  
-Small pieces of software that you install as part of your web browser in order to give your browser additional capabilities.
+**Extension**  
+A small pieces of software that you install as part of your web browser in order to give your browser additional capabilities.
 
 **Firewall**  
 A piece of software or a hardware device that sits between a device or network and the Internet. It analyzes and selectively blocks or alters information passing between two sides. Common places to find firewalls are between your office network and the Internet and on your computer to protect you from other computers on your office network.
 
-**Full Disk Encryption**
-An encryption setup where the entirety of a storage device, or disk -- whether a USB stick, hard drive inside a computer or external drive for backups or any other -- is encrypted. This is the most secure way of protecting your information as unencrypted parts of disks can accidentally hold sensitive data, even if just used for "virtual memory" or you think the files on it have been deleted. This is important especially for devices that could be lost like laptops, mobile phones or backup drives -- but will also mean that no data on them can be accessed (including for starting up the system in the case of a computer or phone) without the encryption password.
+**Full disk encryption**
+An encryption setup where the entirety of a storage device, or disk--whether a USB stick, hard drive inside a computer or external drive for backups or any other--is encrypted. This is the most secure way of protecting your information as unencrypted parts of disks can accidentally hold sensitive data, even if just used for "virtual memory" or you think the files on it have been deleted. This is important especially for devices that could be lost, such as laptops, mobile phones, or backup drives--but will also mean that no data on them can be accessed (including for starting up the system in the case of a computer or phone) without the encryption password.
 
 **Office network**  
-The equipment in your office that allows staff computers to connect to each other, on site resources such as fileservers and to the Internet. If you cannot trust that nobody else is controlling this network your security progress will be compromised.  
+The equipment in your office that allows staff computers to connect to each other, to on-site resources such as fileservers, and to the Internet. If you cannot trust that nobody else is controlling this network your security progress will be compromised.  
 
 **Operating system**
-The main program that lets you run all the other programs on your computer. This usually includes all the tools to make your devices (like keyboards or screens or storage devices) available and usually, but doesn't have to, includes some sort of file manager -- a way to find and access your files and programs. Common operating systems include Android, ChromeOS iOS, Linux, OSX and Windows but there are many others available used for all sorts of purposes.
+The main program that lets you run all the other programs on your computer. This usually includes all the tools to make your peripherals (such as keyboards or screens or storage devices) available and usually includes some sort of file manager--a way to find and access your files and programs. Common operating systems include Android, ChromeOS iOS, Linux, OSX, and Windows, but there are many others available used for all sorts of purposes.
 
 **Password manager software**  
 Software that keeps your passwords in an encrypted format, protected by a master password. This allows you to store multiple passwords by remembering only one. Password managers are available as software that you install (e.g., KeePass) and as a web-based service (e.g., LastPass). While web-based password managers can be secure enough to hold the passwords staff use to access their accounts for everyday purposes, they are not recommended to store the passwords that grant administrative access to core organizational systems.
 
-**Security certificates**  
-Security certificates are a specific kind of file that includes an encryption key, and often times additional information about that key. Websites such as used for banking and other services frequently use them to allow you to establish a secure connection with their servers.
+**Security certificate**  
+A security certificate is a specific kind of file that includes an encryption key and, often, additional information about that key. Websites used for banking and other sensitive services frequently use them to allow you to establish a secure connection with their servers.
 
 **Small Message Service (SMS)**
-Also known as a text message, SMS is generally an insecure way to send information to other people. It is relatively easy  for those with technical equipment and know how to intercept cellular network traffic. In addition many recent situations have shown that it is even easier to convince a cell company to hand over control of an account or to just steal a handset. SMS should especially be avoided as a second factor for authentication (See Two Factor Authentication below) for these reasons.
+Also known as a text message, SMS is generally an insecure way to send information to other people. It is relatively easy for those with technical equipment and knowhow to intercept cellular network traffic. In addition, many recent situations have shown that it is even easier to convince a cell company to hand over control of an account or to just steal a handset. SMS should especially be avoided as a second factor for authentication (see "two-factor authentication" below) for these reasons.
 
 **SPF records**  
 Sender Policy Framework (SPF) is a system that allows you to tell others what servers and services are allowed to send email for your organization's domain name. Setting up this record requires the assistance of your DNS provider and can have unintended negative consequences for your email delivery if not properly done.  
 
-**Two Factor or Multifactor Authentication**
-A way of identifying yourself to a computer or service that includes two or more items -- often something you have (like a phone or security key) and something you know (like a password). Commonly one of those methods is an cell phone text message (Small Message Service above) however this is ****no longer recommended and should be avoided due to the ease of gaining access to other people's cell service, phone or SIM card***.   
+**Two-factor or multifactor authentication**
+A way of identifying yourself to a computer or service that includes two or more items--often something you have (one-time code or specialized USB device) and something you know (like a password). Commonly one of those methods is an SMS message (see above); however, *this is no longer recommended and should be avoided due to the ease of gaining access to other people's cell service, phone, or SIM card*.   
 
 **Virtual Private Network (VPN)**  
-A connection between computers or devices that allows them to exchange information in an encrypted form. This can allow you to both “tunnel out of” a network you don't trust or to get you access to information on your office network from someplace else on the Internet.
+A connection between computers or devices that allows them to exchange information in an encrypted form. This can allow you to tunnel out of a network you don't trust or access information on your office network from someplace else on the Internet.
 
-**Wireless Access Point.**  
+**Wireless Access Point**  
 A wireless access point (WAP) is a piece of hardware configured to host a wireless network. In many small networks the WAP will also be a firewall separating the network from the rest of the Internet.  
 
-**WEP, WPA and WPA2**  
-All are methods of encrypting wireless network traffic between a device like a computer or phone and a wireless access point. WEP is an older encryption method and it is far less secure than WPA and its more secure successor WPA2. Always choose WPA2 when possible.
+**WEP, WPA, and WPA2**  
+All are methods of encrypting wireless network traffic between a device like a computer or phone and a wireless access point. WEP is an older encryption method and it is far less secure than WPA and its more secure successor WPA2. Note, however, that some broad attacks on WPA2 have recently come to light as of October 2017.
diff --git a/B_threat_model.md b/B_threat_model.md
index 449fc28dc1159af77e168b3f811d786b09b4aea4..e6a0c234c792e7b8b70b4d5f87c38384c615d742 100644
--- a/B_threat_model.md
+++ b/B_threat_model.md
@@ -1,19 +1,20 @@
-***
+---
 document set: DRAFT DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
 title: Appendix B: Assumed Threat Model
 author: Jonah Silas Sheridan, Lisa Jervis
-version: "2.0 DRAFT NOT FOR PUBLIC USE"　
-last modified: 10/24/17
-***
+version: "2.0, PEER REVIEWED"　
+last modified: 10/27/17
+---
 
 # Appendix B: Assumed Threat Model
 
 ## Introduction
-What follows is a simplified threat model that outlines the landscape in which these checklists are expected to be effective. You may note that many of these assumptions map to the individual items in the readiness assessment tool as they are foundational to the recommendations in the checklist.
 
-These checklists do not promise to mitigate the threats listed here in their entirety. If all items in these checklists were to be implemented across an organization, any adversary as described by this threat model would face a high bar to impacting the confidentiality, integrity or availability of that organizations' information systems. Although not annotated with this information, many single recommendations are directly oriented at defeating one or more of the list Adversary capabilities. If there is a specific capability you that is of high risk for your organization, seek guidance from a technical support professional in determining which checklist items are most appropriate for mitigation of that risk.
+What follows is a simplified threat model that outlines the landscape in which these checklists are expected to be effective. You may note that many of these assumptions map to the individual items in the [readiness assessment tool](2_readiness_assessment_tool), as they are foundational to the recommendations in the checklist.
 
-We list the threat model in terms of assumed technical operating conditions, assumed user skills and Adversary capabilities, delivered in narrative form rather than with technical detail. We believe this adversary profile fits both common criminal adversaries as well as low skill political or otherwise aggressive opponents of non-profit organizations' work.   
+These checklists do not promise to mitigate the threats listed here in their entirety. If all items in these checklists were to be implemented across an organization, any adversary as described by this threat model would face a high bar to impacting the confidentiality, integrity, or availability of that organizations' information systems. Although not annotated with this information, many single recommendations are directly oriented at defeating one or more of the listed adversary capabilities. If there is a specific capability that is of high risk for your organization, seek guidance from a technical support professional in determining which checklist items are most appropriate for mitigation of that risk.
+
+We list the threat model in terms of assumed technical operating conditions, end-user skills, and adversary capabilities, delivered in narrative form rather than with technical detail. We believe this adversary profile fits both common criminal adversaries as well as low-skill political or otherwise aggressive opponents of non-profit organizations' work.   
 
 ## Assumed operating conditions
 
@@ -21,35 +22,35 @@ We list the threat model in terms of assumed technical operating conditions, ass
 
 * Work is occurring primarily on adequately powered Windows or Mac computers with some use of Android or iOS phones for communications.
 
-* All devices which have been sourced through verifiable channels and are running official versions of operating systems.
+* All devices have been sourced through verifiable channels and are running official versions of operating systems.
 
 * Devices do not cross international borders, though communications and data may.
 
-* Work occurs using a limited set of applications and tools which have been selected, administered and managed by the organization.
+* Work occurs using a limited set of applications and tools which are selected, administered, and managed by the organization.
 
-* Authentication mechanism for these systems MAY be open to login attempts from any device.
+* Authentication mechanisms for these systems may be open to login attempts from any device.
 
 * Staff have regular and consistent access to the Internet to perform their work.
 
-* Networks used to connect to the Internet MAY also be used by other organizations and the public -- including potential Adversary.
+* Networks used to connect to the Internet may also be used by other organizations and the public--including potential adversaries.
 
 * Networks in use do not also host publicly available servers or services.
 
 * All organizational data is regularly backed up and available for restoration in a reasonable time period in most disaster circumstances.
 
-## End user assumed capabilities
+## Assumed end-user capabilities
 
 * End users can physically protect their hardware and devices inside their homes and offices as well as when in public spaces.
 
-* There is a mechanism for and end user availability to provide/receive training in information systems topics.
+* There is a mechanism for and end-user availability to provide/receive training in information systems topics.
 
 * End users can operate the limited set of applications and tools their organization supplies for their use effectively.
 
-* End users can install browser extensions on their devices. End users, technology responsible staff or technical support providers can install other applications on end user devices.
+* End users can install browser extensions on their devices. End users, technology-responsible staff or technical support providers can install other applications on end-user devices.
 
-* End users can remember strings of letters, numbers and symbols of length 12 or more for use as pass phrases or shared secrets for accessing systems.
+* End users can remember strings of letters, numbers, and symbols of length 12 or more for use as passphrases or shared secrets for accessing systems.
 
-* Pass phrases or shared secrets are used to authenticate a single or small group of individuals to a system.
+* Passphrases or shared secrets are used to authenticate a single or small group of individuals to a system.
 
 * End users know how to request and receive technical support for problems with their information systems.
 
@@ -59,7 +60,7 @@ We list the threat model in terms of assumed technical operating conditions, ass
 
 * Adversary can connect to publicly available information systems and attempt to authenticate with them.
 
-* Adversary can send arbitrary content, including spoofed headers, malware executables, infected documents and links to email addresses.
+* Adversary can send arbitrary content, including spoofed headers, malware executables, infected documents, and links to email addresses.
 
 * Adversary can send arbitrary content to smartphones via SMS or other open messaging platforms.
 
@@ -71,22 +72,22 @@ We list the threat model in terms of assumed technical operating conditions, ass
 
 * Adversary can set up wireless access points (WAP) in any public place with arbitrary or spoofed SSIDs.
 
-* Adversary can using routing attacks to route traffic on public shared networks through their devices.
+* Adversary can use routing attacks to route traffic on public shared networks through their devices.
 
-* Adversary can take over poorly configured or secured commodity gateway routing equipment using well known credentials or attacks on out of date firmware sets.
+* Adversary can take over poorly configured or secured commodity gateway routing equipment using well-known credentials or attacks on out-of-date firmware sets.
 
 * Adversary can spoof DHCP server announcements on public shared networks to attempt to act as the gateway for that network.
 
-* Adversary with appropriate position (via routing/DHCP attacks, WAP spoofing or router takeovers) can perform man-in-the-middle (MITM) attacks on unauthenticated traffic including returning arbitrary results to DNS queries, downgrading STARTSSL email submission, rewriting unauthenticated exchanges and sniffing credentials or other content.
+* Adversary with appropriate position (via routing/DHCP attacks, WAP spoofing, or router takeovers) can perform [man-in-the-middle (MITM) attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) on unauthenticated traffic, including returning arbitrary results to DNS queries, downgrading STARTSSL email submission, rewriting unauthenticated exchanges, and sniffing credentials or other content.
 
-* Adversary cannot generate or purchase certificates for arbitrary domains from commonly trusted Certificate Authorities to MITM CA mediated authenticated connections.
+* Adversary cannot generate or purchase certificates for arbitrary domains from commonly trusted Certificate Authorities (CAs) to MITM CA-mediated authenticated connections.
 
 * Adversary can scan devices to identify their operating system or other software versions.
 
-* Adversary can exploit well known vulnerabilities in operating system or local software with open listening ports.
+* Adversary can exploit well-known vulnerabilities in operating systems or local software with open listening ports.
 
-* Adversary may be able to perform Evil Maid attacks on hardware that they have physical access to.
+* Adversary may be able to perform [evil maid attacks](http://searchsecurity.techtarget.com/definition/evil-maid-attack) on hardware that they have physical access to.
 
 * Adversary may be able to use brute force mechanisms on hardware that they take possession of.
 
-* Adversary cannot brute force encrypted information other than otherwise noted in this document.
+* Adversary cannot brute force encrypted information other than as noted in this document.
diff --git a/C_FAQ.md b/C_FAQ.md
index 14cf3d5c4b8a0e429b97aaf83734b1b18d38b676..dfe8b41522c70e2d31e92dffc9393a26a7b3b335 100644
--- a/C_FAQ.md
+++ b/C_FAQ.md
@@ -2,62 +2,62 @@
 document set: DIGITAL SECURITY CHECKLISTS FOR U.S. NON-PROFITS
 title: Appendix C: Frequently Asked Questions
 author: Jonah Silas Sheridan, Lisa Jervis
-last modified: 10/24/2017
-version: "2.0, DRAFT NOT FOR PUBLIC USE"
+last modified: 10/27/2017
+version: "2.0, PEER REVIEWED"
 ---
 # Appendix C: Frequently Asked Questions
 
 ## Where did this document set come from?
 
-This set of documents was made to help small non-profit organizations improve their digital security outcomes despite limited resources and technical skill availability. The content was commissioned as part of the [Weathering The Storms]("http://www.roadmapconsulting.org/WTS") initiative of [RoadMap Consulting]("http://www.roadmapconsulting.org/WTS") and fiscally sponsored by [Common Counsel Foundation]("http://commoncounsel.org") of [Oakland, California]("https://localwiki.org/oakland/"). The content was researched and prepared by Jonah Silas Sheridan and Lisa Jervis, Principals of [Information Ecology]("https://iecology.org"), a capacity building consultancy specializing in non-profit and movement building technology management, and was peer reviewed by generous members of our community. Many other eyes and hands have helped tune the recommendations to ensure technical accuracy and ease of use. We are grateful to all the members of our community that have helped bring these documents to life.
+This set of documents was made to help small non-profit organizations improve their digital security outcomes despite limited resources and technical skill availability. The content was commissioned as part of the [Weathering The Storms](http://www.roadmapconsulting.org/WTS) initiative of [RoadMap Consulting](http://www.roadmapconsulting.org), fiscally sponsored by [Common Counsel Foundation](http://commoncounsel.org) of [Oakland, California](https://localwiki.org/oakland/). The content was researched and prepared by Jonah Silas Sheridan and Lisa Jervis, Principals of [Information Ecology](https://iecology.org), a capacity building consultancy specializing in non-profit and movement-building technology management, and was peer-reviewed by generous members of our community. Many other eyes and hands have helped tune the recommendations to ensure technical accuracy and ease of use. We are grateful to all the members of our community that have helped bring these documents to life.
 
 ## When was this document set created and last updated?
 
 **This document was last updated in September 2017.**
 
-These documents were originally researched and peer reviewed in Fall 2015. Some small edits and a minor 1.1 revision of Spring 2017 updated and improved the [Readiness Assessment Tool](2_readiness_assessment_tool.md) and other checklist language based on field experience. A major version 2.0 release was completed in September 2017. This version includes a review, update and extension of the checklist set. The version adds a [Device Security Checklist](4_device_security_checklist.md) and [GSuite Security Checklist](8_gsuite_security_checklist.md) as well as an [Assumed Threat Model](A_threat_model.md) for technical readers. All new content was peer reviewed. Contact [RoadMap Consulting](https://roadmapconsulting.org) or [Information Ecology](https://iecology.org/contact) with questions about this process or content.
+These documents were originally researched and peer reviewed in fall 2015. Some small edits and a minor 1.1 revision in spring 2017 updated and improved the [Readiness Assessment Tool](2_readiness_assessment_tool.md) and other checklist language based on field experience. A major version 2.0 release was completed in September 2017. This version includes a review, update, and extension of the checklist set. It adds a [Device Security Checklist](4_device_security_checklist.md) and [G Suite Security Checklist](8_gsuite_security_checklist.md), as well as an [Assumed Threat Model](A_threat_model.md) for technical readers. All new content was peer reviewed. Contact [RoadMap Consulting](https://roadmapconsulting.org) or [Information Ecology](https://iecology.org/contact) with questions about this process or content.
 
-**If you have feedback or questions about this document set, its contents or how to use it, please contact Information Ecology using [our secure contact form]("https://iecology.org/contact") or PGP encrypted email to info@iecology.org using [this key]("https://iecology.org/0x3C2BACE5E10F3C7A_pub.txt")**
+**If you have feedback or questions about this document set, its contents, or how to use it, please contact Information Ecology using [our secure contact form](https://iecology.org/contact) or PGP encrypted email to info@iecology.org using [this key](https://iecology.org/0x3C2BACE5E10F3C7A_pub.txt).**
 
 ## Why digital security checklists?
 
-While computers have revolutionized and opened all sorts of new possibilities in how non-profits operate, the last several years have begun to reveal to the general public the many risks associated with digital communication and information storage. While all organizations want to protect their information — and that of their partners and allies — few have a strong understanding of the relevant risks and most effective ways to manage them.
+While computers have revolutionized and opened all sorts of new possibilities in how non-profits operate, the last several years have begun to reveal to the general public the many risks associated with digital communication and information storage. While all organizations want to protect their information--and that of their partners and allies--few have a strong understanding of the relevant risks and most effective ways to manage them.
 
 **These checklists represent recommendations for a set of baseline digital security practices to help organizations move forward.**
 
-They have been created as a harm reduction and capacity building step to meet the common patterns in technical operations in small organizations. We have incorporated information from incident reports, emerging standards, current research and community feedback about the work habits of and threats faced by non-profit organizations. The aim is to help organizations improve digital security outcomes by minimizing the easiest to exploit vulnerabilities in their systems. This strategy provides protection against many of the common attacks organizations are prey to while also helping create a stronger front  against more advanced adversaries with time and resources to invest.
+They have been created as a harm-reduction and capacity-building step to meet the common patterns in technical operations in small organizations. We have incorporated information from incident reports, emerging standards, current research, field experience, and community feedback about the work habits of and threats faced by non-profit organizations. The aim is to help organizations improve digital security outcomes by minimizing the easiest-to-exploit vulnerabilities in their systems. This strategy provides protection against many of the common attacks organizations are prey to while also helping create a stronger front against more advanced adversaries with time and resources to invest.
 
-By minimizing the costs and disruption of routine security incidents (such as viruses, malware, ransomware and phishing) and exposing staff to digital security topics and practices, it is hoped that going through these checklists helps create space for deeper risk analysis and organizational security efforts. By stepping through these checklists, organizations can build their "security practice muscles" by implementing new, accessible habits and practices. Building this foundational capacity to tune operations is critical to taking on more advanced or disruptive security measures as the threat landscape changes.
+By minimizing the costs and disruption of routine security incidents (such as viruses, malware, ransomware, and phishing) and exposing staff to digital security topics and practices, it is hoped that going through these checklists helps create space for deeper risk analysis and organizational security efforts. By stepping through these checklists, organizations can build their security practice muscles by implementing new, accessible habits and practices. Building this foundational capacity to tune operations is critical to taking on more advanced or disruptive security measures as the threat landscape changes.
 
 
 ## What can't these checklists do for me?
 
-The public-health concept of harm reduction is a useful approach to any situation for which a perfect solution is not available. Despite being an incomplete solution, regular hand washing is an important part of limiting the risk of getting certain illnesses. Similarly a set of standard best practices represented by checklists cannot mitigate all risks, yet they can help protect you and your organization from some of the serious threats that come with using computers to manage your information. These checklists are meant as a starting point in understanding and responding to the most basic threats computer users face today. They are a useful first step to secure ourselves, our organizations and our movements but they are not sufficient. For those of us working in extremely hostile environments, aligned against highly repressive regimes, in closing political spaces or in high risk conflicts, disasters or other unrest a more rigorous approach is necessary. When significant risks of bodily harm, long term detention and death exist, these checklists cannot substitute for a more aggressive and thorough security analysis and response.
+The public-health concept of harm reduction is a useful approach to any situation for which a perfect solution is not available. Despite being an incomplete solution, regular hand washing is an important part of limiting the risk of getting certain illnesses. Similarly, a set of standard best practices represented by checklists cannot mitigate all risks, yet they can help protect you and your organization from some of the serious threats that come with using computers to manage your information. These checklists are meant as a starting point in understanding and responding to the most basic threats computer users face today. They are a useful first step to secure ourselves, our organizations, and our movements, but they are not sufficient. For those of us working in extremely hostile environments; aligned against highly repressive regimes; in closing political spaces; or in high-risk conflicts, disasters, or other unrest, a more rigorous approach is necessary. When significant risks of bodily harm, long-term detention, and death exist, these checklists cannot substitute for a more aggressive and thorough security analysis and response.
 
 Effective security is an ongoing process. It requires consistent practices to be undertaken by all staff, periodic review and adjustment to practices, and strong leadership from board and senior staff. Every organization faces a specific set of threats to its information, some of which may be completely outside the digital realm (e.g., infiltration of organizing meetings by a political adversary). As no set of checklists can address all situations, these checklists do not represent a complete solution for securing your organization.
 
 It is also important to recognize that implementing new security practices puts pressure on key organizational processes and personnel. Implementing the checklist recommendations will generally not immediately make your work smoother and easier. Instead, many will likely create some disruption and training needs. In order to make meaningful strides in security, your organization must be prepared to make these trade-offs.
 
-These investments in time and attention will repay the organization in smoother, more tightly defined operations -- as well as peace of mind that come from knowing those operations protect your data and systems.
+These investments in time and attention will repay the organization in smoother, more tightly defined operations--as well as peace of mind that come from knowing that those operations protect your data and systems.
 
 ## Who are these checklists for?
 
-Different and changing contexts, whether technical or geo-political, introduce a variety of threats, vulnerabilities, and adversaries to consider in managing risk. To make these checklists useful we have designed them to apply to a specific set of organizations and set of threats.
+Different and changing contexts, whether technical or geopolitical, introduce a variety of threats, vulnerabilities, and adversaries to consider in managing risk. To make these checklists useful, we have designed them to apply to a specific set of organizations and set of threats.
 
-These checklists target organizations broadly seeking to protect themselves from security threats from non-persistent adversaries with limited resources (e.g., disgruntled individuals, identity thieves, political opponents, internal threats) rather than the U.S. government, other governments or other large global entities including multinational corporations.
+These checklists target organizations broadly seeking to protect themselves from security threats from non-persistent adversaries with limited resources (e.g., disgruntled individuals, identity thieves, political opponents, internal threats) rather than advanced persistent threats such as the U.S. government, other governments, or other large global entities including multinational corporations.
 
-**If your threat model includes the sorts of concerns you will need to contact a digital security professional to help you build security practices and systems beyond those recommended in these checklists in order to remain resilient in your specific context. [Contact RoadMap]("mailto:info@roadmapconsulting.org") or [Information Ecology](https://iecology.org/contact) for help or referrals.**
+**If your threat model includes advanced persistent threats, you will need to contact a digital security professional to help you build security practices and systems beyond those recommended in these checklists in order to remain resilient in your specific context. [Contact RoadMap](mailto:info@roadmapconsulting.org) or [Information Ecology](https://iecology.org/contact) for help or referrals.**
 
 To keep recommendations actionable, we also made some assumptions about the operations of the organizations using these checklists.
 
--   The organization has a staff of under 50 with an in house technical team of no more than 3, if any technical staff at all.
+-   The organization has a staff of under 50 with an in-house technical team of no more than three, if any technical staff at all.
 
--   The organization uses primarily desktop and laptop computers with some use of mobile devices to access its information systems.
+-   The organization uses primarily desktop and laptop computers, with some use of mobile devices to access its information systems.
 
--   The organization uses networks for work that are free from malicious outside interference and are segmented from the open Internet by a password protected firewall device running up-to-date software, controlled by the owner.
+-   The organization uses networks for work that are free from malicious outside interference and are segmented from the open Internet by a password-protected firewall device running up-to-date software, controlled by the owner.
 
--   Although the organization may communicate with partners abroad, its staff do not cross international borders while carrying the organization's equipment or data nor regularly work in a foreign country.
+-   Although the organization may communicate with partners abroad, its staff neither cross international borders while carrying the organization's equipment or data, nor regularly work in a foreign country.
 
--   The organization can otherwise successfully protect physical access to its office spaces, network equipment and devices.
+-   The organization can in general successfully protect physical access to its office spaces, network equipment, and devices.
 
-While these practices can certainly be adopted in environments that don't meet this profile, in those cases our rating system may not be accurate on and all recommendations should be reviewed by your technical or security support personnel.
+While these practices can certainly be adopted in environments that don't meet this profile, in those cases our rating system may not be accurate, and all recommendations should be reviewed by your technical or security support personnel.
diff --git a/README.md b/README.md
index b7df340d6086c846c4cc909ffdd1ae91e24198ca..45726dd3025b37019e5b9a5db75b1ad24ec93ef0 100644
--- a/README.md
+++ b/README.md
@@ -1,52 +1,54 @@
 
 # Introduction  
-The documents in this repository comprise a set of digital security checklists for use by US based non-profit organizations with a focus on human practice and organizational management. They were created by [Information Ecology](https://iecology.org), an Oakland, California based consultancy focusing on technology management and capacity building for progressive organizations for use in the [Weathering The Storms project of RoadMap Consulting](https://roadmapconsulting.org/resource/weathering-the-storm/). They have been peer reviewed for readability and accuracy by both technical and operational professionals from the global non-profit community.
 
+The documents in this repository comprise a set of digital security checklists for use by U.S.-based non-profit organizations with a focus on human practices and organizational management. They were created by [Information Ecology](https://iecology.org), an Oakland, California-based consultancy focusing on technology management and capacity building for progressive organizations for use in the [Weathering The Storms project of RoadMap Consulting](https://roadmapconsulting.org/resource/weathering-the-storm/). They have been peer-reviewed for readability and accuracy by both technical and operations professionals from the global non-profit community.
 
-**These documents are designed for use in the US domestic context and focused on common vulnerabilities. Use in other countries or to defend against highly aggressive and/or resourced attackers is not recommended without further threat analysis and tuning of content. [Contact us](https://iecology.org/contact) if you need support using these checklists in that way.**
+
+**These documents are designed for use in the U.S. domestic context and focused on common vulnerabilities. Use in other countries or to defend against highly aggressive and/or resourced attackers is not recommended without further threat analysis and tuning of content. [Contact us](https://iecology.org/contact) if you need support using these checklists in that way.**
 
 
 # Contents
+
 1. [Introduction](1_checklist_introduction.md)
-About these checklists and how they can help you
+About these checklists and how they can help you.
 
 2. [Readiness Assessment Tool](2_readiness_assessment_tool.md)
 A tool for assessing whether an organization has the requisite baseline capacities needed to successfully take on new digital security practices. Any challenges identified should be met before attempting to increase digital security levels through other means.
 
-3. [Directions](3_directions.md)
-How to use What the symbols in these documents mean.
+3. [Directions](3_directions_and_legend.md)
+How to use these documents and what the symbols in them mean.
 
 4. [Device Security Checklist](4_device_security_checklist.md)
 All security depends on the ability to control your devices. This checklist helps you do that.
 
 5. [Password and Authentication Checklist](5_authentication_checklist.md)  
-A checklist of tasks related to improving the way you identify, or "authenticate" yourself to the services you use, including password management practices.
+A checklist of tasks related to improving the way you identify, or "authenticate," yourself to the services you use, including password management practices.
 
 6. [Wireless Network Safety Checklist](6_wireless_checklist.md)
-A checklist of tasks related to improving security levels when depending on wireless networks
+A checklist of tasks related to improving security levels when depending on wireless networks.
 
 7. [Email Safety Checklist](7_email_safety_checklist.md)
-A checklist of tasks related to safe(r) use of Email.
+A checklist of tasks related to safe(r) use of email.
 
-8. [GSuite Security Checklist](8_gsuite_security_checklist.md)
-A checklist to help you setup and use the security controls in Google's domain based services.
+8. [G Suite Security Checklist](8_gsuite_security_checklist.md)
+A checklist to help you set up and use the security controls in Google's domain-based services.
 
-9. Appendix A: [Glossary](A_glossary.md)
-A glossary defining the technical terms used in these documents in as non-technical language as possible
+9. [Appendix A: Glossary](A_glossary.md)
+A glossary defining the technical terms used in these documents in as non-technical language as possible.
 
-10. Appendix B: [Assumed Threat Model](B_threat_model.md)
-A narrative threat model describing the expectations of operating environment, end user capabilities and adversary capabilities for use by technical readers and technical support personnel.
+10. [Appendix B: Assumed Threat Model](B_threat_model.md)
+A narrative threat model describing assumed operating environment, end-user capabilities, and adversary capabilities for use by technical readers and technical support personnel.
 
-11. Appendix C. [Frequently Asked Questions](C_FAQ.md)
-A set of questions and answers about these checklists including their origin, design and how to provide feedback on them.
+11. [Appendix C: Frequently Asked Questions](C_FAQ.md)
+A set of questions and answers about these checklists including their origin, design, and how to provide feedback on them.
 
 ## Finally...
-These documents could not exist without the support of a large group of readers, whose technical and operational peer review and feedback tuned these document, as well as the financial support of [RoadMap Consulting](https://roadmapconsulting.org) with whom we are actively using these as a tool to support our clients and communities.
+These documents could not exist without the support of a large group of readers, whose technical and operations peer-review and feedback tuned them, as well as the financial support of [RoadMap Consulting](https://roadmapconsulting.org), with whom we are actively using these as a tool to support our clients and communities.
 
 **This work is dedicated to to the humans and organizations working on the front lines of important change making work everywhere.**
 
-This content is released under a [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/) and can be remixed, translated or amended freely as long as shared in turn and original documents attributed to Information Ecology.
+This content is released under a [Creative Commons Attribution-ShareAlike 4.0 International License](https://creativecommons.org/licenses/by-sa/4.0/) and can be remixed, translated, or amended freely as long as the results are shared in turn and the original documents are attributed to Information Ecology.
 
-![Creative Commons Attribution-ShareAlike 4.0 International License Image](https://i.creativecommons.org/l/by-sa/4.0/88x31.png)
+[Creative Commons Attribution-ShareAlike 4.0 International License Image](https://i.creativecommons.org/l/by-sa/4.0/88x31.png)
 
-See [license file](LICENSE) for full license terms.
+See the [license file](LICENSE) for full license terms.