Document granting Security Manager role

[minrk]

68 suggests adding a security manager team to all orgs

Since managing membership of roles must be done by subproject owners, we need to do some coordination, and documenting these things is helpful. I think we should have docs on:

• how security manager permissions are granted (e.g. create security team, or a security/jupyter-security sub-team in case there should be any 'security' team members specific to an org while keeping the jupyter-security common list consistent across orgs)
• some explanation about what it accomplishes (the links in #68 should cover most of it)
• who should be on the list (#68 suggests one list for all orgs - that could be a file in this repo, but it doesn't specify who should be on that list. This should be written down)
• how jupyter/security and/or org managers stay on top of membership of those lists (#68 suggest audit schedule)

[Carreau]

Thanks @minrk, the auditing of these is among other reason why I'd like to have less Jupyter orgs.