In the context of -doc the only document I'm aware of is the Securing
Debian HOWTO.
I've attempted to digest it. It's too complete - e.g. it talks about securing features [web servers etc] that I do not believe should exist on a system used by my target audience [including myself].
While it will probably contain all the information you
require, but it's entirely possible it might scare your friend a bit.
It scares me ;/