The section "Configuring security for your environment" has lists of tasks that are somewhat different depending whether you are in embedded or client-server mode. I assume these differences are current and valid and that the list of tasks should be different for the two modes. Please let me know if any changes are needed here.
The major work involved in this documentation, I believe, is to flip the contents of the "Derby and security" and "Configuring security for your environment" sections of http://db.apache.org/derby/docs/dev/devguide/, rework them slightly, and add links to further information to the "Configuring security for your environment" sections. The remaining sections can probably remain as is.
Further information is to be found in both the Reference Manual and the Admin Guide.
The first topic, "Derby and security", should be titled "Configuring security for Derby" and should rework the contents of "Configuring security for your environment" and its two subsections.
The next topic should be "Derby security concepts" and should use the material from the original "Derby and security" topic.
The other topics should probably remain the same, although additional tweaks are possible.
Working with user authentication
Users and authorization identifiers
Encrypting databases on disk
Signed jar files
User authentication and authorization examples
Running Derby under a security manager