diff --git a/workstation-security.md b/workstation-security.md
index f6ffbd9..12c1f15 100644
--- a/workstation-security.md
+++ b/workstation-security.md
@@ -16,33 +16,41 @@
 ## Distro choice considerations
 - [CRITICAL] Has a robust MAC/RBAC implementation (SELinux/AppArmor/GrSecurity)
 - [CRITICAL] Publishes security bulletins
+- [CRITICAL] Provides timely security patches
+- [CRITICAL] Provides cryptographic verification of packages
 - [CRITICAL] Supports TrustedBoot
 - [CRITICAL] Has robust full disk encryption support (LUKS)
 
 ## Distro installation guidelines
-- [CRITICAL] Use full-disk encryption
-- [CRITICAL] Create a separate /home partition
-    - Make sure swap is also encrypted
+- [CRITICAL] Use full-disk encryption on LVM level
+- [CRITICAL] Make sure swap is also encrypted
+- [CRITICAL] Set up a unique, robust root password
+- [CRITICAL] Use an unprivileged account, part of administrators group (sudo)
+- [CRITICAL] Set up a robust user-account password, different from root
 
-## Untrusted hardware
+## Post-installation hardening
+- [CRITICAL] Globally disable firewire modules
+             ("blacklist firewire-core" in /etc/modprobe.d/bl-firewire.conf)
+- [MODERATE] Check your firewalls to ensure all incoming ports are filtered
+- [MODERATE] Check to ensure sshd service is disabled by default
+- [MODERATE] Set up an automatic OS update schedule, or update reminders
+             (most distros will notify when updates are available)
 
-- Firewire ports are disabled
+## Personal workstation backups
 
-    - blacklist firewire-core in /etc/modprobe.d/blacklist-firewire.conf
+## Best practices
 
--
+### SELinux
 
-Team communication:
-- Establish PGP web of trust
-  - Or use s/mime with a trusted CA
-- Use a password vault
+- [CRITICAL] Make sure SELinux is enforcing on your workstation
+- [CRITICAL] Never `setenforce 0`, use `semanage permissive -a somedomain_t`
+- [CRITICAL] Never blindly run `audit2allow`, always check
+- [MODERATE] Switch your account to SELinux user `staff_u` (use `usermod -Z`)
 
+### Browsing
+- [MODERATE] Use two different browsers, one for work sites only, the other
+             for everything else
+- [PARANOID] Run the "everything else" browser as a different user
+- [PARANOID+] Run the "everthing else" browser inside a local VM accessed
+              via RDP.
 
-Practices:
-- Apply updates daily
-
-SELinux hints:
-- Run as SELinux user staff_u
-- Never setenforce 0
-  - Use "semanage permissive -a somedomain_t"
-  -