The Best Practices Group is working on guides in this arena, Microsoft has been more concerned about getting the product shipped with as few bugs as possible...
From experience, I will offer these CM suggestions:
~ Use AD Groups... if you build a RS web farm later local groups will have you cornered.
~ Avoid Report-level security and leverage parent inherited security settings for container objects (folders) where possible.
~ You may want to set up seperate container objects for each of your AD Groups or the parent level to an AD Group hierarchy.
~ If it is easier from a managment standpoint to centrally locate an RDL file and use linked reports (they work for non-parameterized reports too) to offer it out to different security-managed container objects... avoid making two copies of an RDL file solely for security level assignments.