diff --git a/docs/security-integration/01-ad-extract-specification.md b/docs/security-integration/01-ad-extract-specification.md new file mode 100644 index 00000000..7a4017dc --- /dev/null +++ b/docs/security-integration/01-ad-extract-specification.md @@ -0,0 +1,199 @@ +# Active Directory Data Extract — Technical Specification + +**Document:** AD-EXTRACT-SPEC-v1.0 +**Audience:** Client IT Team / Active Directory Administrators +**Purpose:** Define the minimum AD data extract required by the integration platform when live AD connectivity is not available to the contractor + +--- + +## 1. Overview + +The integration platform requires a daily snapshot of Active Directory user accounts to: + +- Maintain a local identity registry used as the canonical source of person identity +- Detect joiners, movers, and leavers (JML) without live directory access +- Enrich occupancy and evacuation records with department, manager, and status information +- Flag anomalies (e.g. disabled accounts with active building access) + +This extract does **not** require the contractor to have any direct AD connectivity. It is produced by client IT infrastructure and delivered to the contractor's integration endpoint via an agreed secure transfer mechanism. + +--- + +## 2. Delivery Specification + +| Parameter | Value | +|-----------|-------| +| Format | JSON (preferred) or CSV | +| Frequency | Daily — delivered by **06:00 local time** | +| Transfer method | SFTP to contractor-hosted endpoint **or** HTTPS POST to integration API | +| Encryption | PGP encryption required if SFTP; TLS 1.2+ minimum if HTTPS | +| Filename convention | `ad_extract_YYYYMMDD.json` | +| Retention on source | Client retains 30 days of extract files | +| Alerting | If extract is not received by 07:00, integration platform raises an alert to both parties | + +--- + +## 3. Required Fields + +### 3.1 Employee / Permanent Staff + +```json +{ + "extract_date": "2026-06-03", + "extract_type": "full", + "users": [ + { + "employee_id": "EMP-1042", + "sam_account_name": "jsmith", + "display_name": "John Smith", + "email": "john.smith@company.com", + "department": "Engineering", + "job_title": "Senior Engineer", + "manager_email": "jane.doe@company.com", + "office_location": "Building A", + "floor": "Floor 2", + "cost_centre": "CC-4400", + "account_enabled": true, + "account_expires": null, + "last_modified": "2026-05-01T09:00:00Z", + "person_type": "EMPLOYEE" + } + ] +} +``` + +### 3.2 Contractors with AD Accounts + +```json +{ + "employee_id": "CONT-0055", + "sam_account_name": "b.builder.ext", + "display_name": "Bob Builder", + "email": "b.builder@bobbuilderco.com", + "department": "Facilities", + "job_title": "Contractor", + "manager_email": "facilities.manager@company.com", + "office_location": "Building A", + "floor": null, + "cost_centre": "CC-9900", + "account_enabled": true, + "account_expires": "2026-09-30T23:59:59Z", + "last_modified": "2026-04-15T08:00:00Z", + "person_type": "CONTRACTOR" +} +``` + +--- + +## 4. Field Definitions + +| Field | Type | Required | Description | +|-------|------|----------|-------------| +| `employee_id` | string | **Yes** | Unique employee or contractor reference. Must match value stored in ACT badge system. | +| `sam_account_name` | string | **Yes** | AD logon name. Used as secondary deduplication key. | +| `display_name` | string | **Yes** | Full name as displayed in directory. | +| `email` | string | **Yes** | Primary SMTP address. **Used as the common join key across all integrated systems.** | +| `department` | string | **Yes** | Organisational department. Used for evacuation list grouping. | +| `job_title` | string | No | Role/position title. | +| `manager_email` | string | No | Direct manager's email address. Used to group evacuation lists by team. | +| `office_location` | string | **Yes** | Building or campus identifier. Filters records relevant to this deployment. | +| `floor` | string | No | Assigned floor, if known. Supplements ACT zone data. | +| `cost_centre` | string | No | Finance cost centre code. | +| `account_enabled` | boolean | **Yes** | `true` = active account. `false` = disabled/suspended. Critical for leaver detection. | +| `account_expires` | ISO 8601 or null | No | If set, account will auto-disable on this date. Used for proactive contractor badge expiry alerts. | +| `last_modified` | ISO 8601 | **Yes** | Timestamp of last change to the AD record. Used for delta detection. | +| `person_type` | enum | **Yes** | One of: `EMPLOYEE`, `CONTRACTOR`, `SERVICE_ACCOUNT`. Service accounts excluded from occupancy logic. | + +--- + +## 5. Delta Detection Logic + +The integration platform compares each day's extract to the previous day using `employee_id` as the primary key and `last_modified` as a change indicator. + +``` +NEW record → person_type = EMPLOYEE/CONTRACTOR → Joiner workflow +MISSING record → was present yesterday → Leaver workflow (flag ACT badge for review) +account_enabled: true → false → Leaver/suspension workflow +account_expires within 14 days → Expiry warning to facilities team +department/floor changed → Mover workflow (update occupancy zone mapping) +``` + +--- + +## 6. Scope Filtering + +To avoid processing records for other sites, the extract should be pre-filtered by the client to include only users where `office_location` matches the relevant building(s). Alternatively, a full extract can be delivered and filtered on ingestion — confirm approach with client IT. + +--- + +## 7. PowerShell Export Script (Reference) + +The following script can be run by client AD administrators to generate the extract. It requires the `ActiveDirectory` PowerShell module. + +```powershell +Import-Module ActiveDirectory + +$extractDate = Get-Date -Format "yyyyMMdd" +$outputPath = "C:\ADExtracts\ad_extract_$extractDate.json" + +$users = Get-ADUser -Filter {Enabled -eq $true -or Enabled -eq $false} ` + -Properties EmployeeID, DisplayName, EmailAddress, Department, Title, ` + Manager, Office, AccountExpirationDate, Enabled, ` + WhenChanged, extensionAttribute1 | + Where-Object { $_.Office -like "*Building A*" } | + Select-Object @{N='employee_id';E={$_.EmployeeID}}, + @{N='sam_account_name';E={$_.SamAccountName}}, + @{N='display_name';E={$_.DisplayName}}, + @{N='email';E={$_.EmailAddress}}, + @{N='department';E={$_.Department}}, + @{N='job_title';E={$_.Title}}, + @{N='manager_email';E={ + if ($_.Manager) { + (Get-ADUser $_.Manager -Properties EmailAddress).EmailAddress + } else { $null } + }}, + @{N='office_location';E={$_.Office}}, + @{N='floor';E={$_.extensionAttribute1}}, + @{N='account_enabled';E={$_.Enabled}}, + @{N='account_expires';E={ + if ($_.AccountExpirationDate) { + $_.AccountExpirationDate.ToString("o") + } else { $null } + }}, + @{N='last_modified';E={$_.WhenChanged.ToString("o")}}, + @{N='person_type';E={ + if ($_.SamAccountName -like "*.ext") { "CONTRACTOR" } + elseif ($_.SamAccountName -like "svc.*") { "SERVICE_ACCOUNT" } + else { "EMPLOYEE" } + }} + +$output = @{ + extract_date = (Get-Date -Format "yyyy-MM-dd") + extract_type = "full" + users = $users +} + +$output | ConvertTo-Json -Depth 5 | Out-File -FilePath $outputPath -Encoding UTF8 +Write-Host "Extract written to $outputPath — $($users.Count) records" +``` + +--- + +## 8. Data Protection Notes + +- The extract contains personal data and is subject to applicable data protection legislation (e.g. UK GDPR / POPIA) +- The contractor must store the extract in an encrypted datastore and retain only the current and previous day's extract +- Extract files must not be shared with third parties +- A Data Processing Agreement (DPA) must be in place between client and contractor before first extract is delivered + +--- + +## 9. Acceptance Criteria + +| Test | Expected Result | +|------|----------------| +| Extract delivered by 06:00 | Alert suppressed | +| Extract not delivered by 07:00 | Alert raised to both parties | +| Employee in yesterday's extract missing today | Leaver workflow triggered within 15 minutes of ingestion | +| `account_enabled` flips to `false` | Badge review alert sent to facilities team | +| New employee appears | Joiner record created in identity registry | diff --git a/docs/security-integration/02-jml-process-flow.md b/docs/security-integration/02-jml-process-flow.md new file mode 100644 index 00000000..c1dab97a --- /dev/null +++ b/docs/security-integration/02-jml-process-flow.md @@ -0,0 +1,329 @@ +# Joiner / Mover / Leaver (JML) Process Flow + +**Document:** JML-PROCESS-v1.0 +**Audience:** Client IT Team, Facilities Management, HR, Security Operations +**Purpose:** Define the end-to-end process for managing identity lifecycle events in the integrated security platform when Active Directory live access is not available + +--- + +## 1. Overview + +Without live AD connectivity, identity lifecycle events (joiners, movers, leavers) must be managed through a combination of: + +1. **Daily AD extract** — automated detection of changes +2. **Manual notification workflow** — for time-critical events (especially leavers) where the 24-hour extract cycle is insufficient +3. **Compensating controls** — badge expiry policies and Condecco contractor management + +The process below defines responsibilities for each party and the expected response times. + +--- + +## 2. Responsible Parties + +| Role | Responsibility | +|------|---------------| +| **HR** | Notify IT of new starters and leavers as early as possible | +| **IT / AD Administrator** | Manage AD accounts; trigger manual notifications for same-day leavers | +| **Facilities / Physical Security** | Manage ACT badge provisioning and revocation | +| **Contractor (Integration Team)** | Operate the integration platform; process notifications and extracts | +| **Line Manager** | Confirm leaver return of badge; approve mover access changes | + +--- + +## 3. JOINER WORKFLOW + +### Trigger +- New employee or contractor appears in the daily AD extract (new `employee_id` not seen previously) +- **Or** HR submits a manual joiner notification via the agreed channel + +### Process Flow + +``` +HR raises new starter request + │ + ▼ +IT creates AD account +(sets employee_id, email, department, office_location, person_type) + │ + ▼ +AD extract delivered next morning (06:00) + │ + ▼ +Integration platform detects new record + │ + ▼ +Identity registry updated: + - New person record created + - Linked to email as primary key + │ + ▼ +Facilities notified: "New joiner — badge provisioning required" + - Name, employee_id, department, floor, start date + │ + ▼ +Facilities provisions ACT badge + - Badge assigned employee_id as external reference + - Badge type: PERM or CONT + - Expiry: 90 days (renewable) for contractors / no expiry for employees + │ + ▼ +ACT badge ID written back to identity registry +(Facilities team updates via integration portal or CSV upload) + │ + ▼ +Person is now fully tracked: + Occupancy ✓ | Evacuation list ✓ | Anomaly detection ✓ +``` + +### SLAs + +| Event | Target | +|-------|--------| +| AD account created before first day | T-1 working day | +| Integration platform detects new record | Within 2 hours of extract delivery | +| Facilities notified | Within 2 hours of extract delivery | +| Badge provisioned | By end of day 1 | + +--- + +## 4. MOVER WORKFLOW + +### Trigger +- Employee changes department, floor, or office location +- `department`, `floor`, or `office_location` field changes between two consecutive extracts + +### Process Flow + +``` +HR / Line Manager raises change request + │ + ▼ +IT updates AD record +(department, office_location, floor, manager_email) + │ + ▼ +AD extract next morning reflects change + │ + ▼ +Integration platform detects field change via last_modified delta + │ + ▼ +Identity registry updated: + - Department / floor mapping updated + - Evacuation zone assignment recalculated + │ + ▼ +If new location requires different ACT access group: + Facilities notified: "Access group update required for [Name]" + │ + ▼ +Facilities updates ACT access groups + │ + ▼ +Change confirmed — no further action required +``` + +### SLAs + +| Event | Target | +|-------|--------| +| AD record updated | Same day as move | +| Integration platform reflects change | Next morning after extract | +| ACT access group updated | Within 1 working day of notification | + +--- + +## 5. LEAVER WORKFLOW + +> **This is the highest-risk workflow.** A leaver with an active badge and a disabled AD account is a physical security risk. Two paths exist depending on urgency. + +--- + +### 5A. PLANNED LEAVER (Notice Period Known) + +``` +HR confirms last working day (LWD) to IT and Facilities + │ + ▼ +IT schedules AD account disable for LWD end of day + │ + ▼ +Facilities schedules badge deactivation for LWD end of day + │ + ▼ +On LWD: + IT disables AD account + Facilities deactivates ACT badge + │ + ▼ +Next morning AD extract confirms account_enabled = false + │ + ▼ +Integration platform validates badge is already deactivated + If badge still active → ESCALATION ALERT sent to Facilities and Security + │ + ▼ +Identity registry updated: + Person record marked LEAVER + Retained for 90 days for audit / evacuation history + Removed from active occupancy model +``` + +--- + +### 5B. UNPLANNED / IMMEDIATE LEAVER (Dismissal / Resignation Same Day) + +> **24-hour extract cycle is too slow for this case. Manual notification is mandatory.** + +``` +HR / Line Manager confirms immediate leaver to IT and Security + │ + ├──────────────────────────────────┐ + ▼ ▼ +IT disables AD account immediately Facilities deactivates +(within 30 minutes of decision) ACT badge immediately + │ │ + └──────────────┬───────────────────┘ + ▼ +IT sends MANUAL LEAVER NOTIFICATION to integration platform: + + POST /api/jml/leaver + { + "employee_id": "EMP-1042", + "email": "john.smith@company.com", + "effective_datetime": "2026-06-03T14:30:00Z", + "reason": "IMMEDIATE_LEAVER", + "notified_by": "hr.admin@company.com" + } + │ + ▼ +Integration platform immediately: + 1. Marks person as LEAVER in identity registry + 2. Removes from active occupancy model + 3. If person has an active entry event (currently inside building): + → ALERT sent to Security Operations: "Immediate leaver may still be on premises" + → Evacuation list flags person as [ACCESS REVOKED] + │ + ▼ +Security confirms person has left the building + (badge return confirmed or CCTV verified) + │ + ▼ +Security acknowledges alert in integration portal + Record closed +``` + +### SLAs — Immediate Leaver + +| Action | Target | +|--------|--------| +| IT disables AD account | Within 30 minutes | +| Facilities deactivates badge | Within 30 minutes | +| Manual API notification sent | Within 30 minutes | +| Integration platform processes notification | Within 5 minutes | +| Security alert raised if person inside building | Immediate (automated) | + +--- + +## 6. CONTRACTOR EXPIRY WORKFLOW + +Contractors typically have `account_expires` set on their AD account. + +``` +14 days before expiry: + Integration platform sends warning: + "Contractor [Name] badge expires on [date] — renew or confirm departure" + │ + ├── Manager confirms renewal → IT extends account_expires + │ → Facilities extends badge expiry + │ + └── Manager confirms departure → LEAVER workflow triggered + → Badge deactivated on expiry date +``` + +--- + +## 7. Manual Notification API + +When the daily extract is insufficient, IT uses the following API endpoints: + +### Immediate Leaver +``` +POST /api/v1/jml/leaver +Authorization: Bearer +Content-Type: application/json + +{ + "employee_id": "EMP-1042", + "email": "john.smith@company.com", + "effective_datetime": "2026-06-03T14:30:00Z", + "reason": "IMMEDIATE_LEAVER | DISMISSAL | SUSPENSION", + "notified_by": "it.admin@company.com" +} +``` + +### Planned Leaver +``` +POST /api/v1/jml/leaver +{ + "employee_id": "EMP-1042", + "email": "john.smith@company.com", + "effective_datetime": "2026-06-13T17:00:00Z", + "reason": "RESIGNATION", + "notified_by": "hr.admin@company.com" +} +``` + +### Manual Joiner (before extract) +``` +POST /api/v1/jml/joiner +{ + "employee_id": "EMP-1099", + "email": "new.starter@company.com", + "display_name": "New Starter", + "department": "Finance", + "office_location": "Building A", + "floor": "Floor 3", + "person_type": "EMPLOYEE", + "start_date": "2026-06-09", + "notified_by": "hr.admin@company.com" +} +``` + +API keys are issued per authorised caller (HR system, IT helpdesk tool, or manual use). All calls are logged with caller identity and timestamp. + +--- + +## 8. Escalation Matrix + +| Scenario | Primary Contact | Escalation | +|----------|----------------|------------| +| Extract not received by 07:00 | IT AD Administrator | IT Manager | +| Immediate leaver — badge not deactivated within 30 min | Facilities Manager | Security Operations / Head of Security | +| Leaver detected in extract but badge still active | Facilities Manager | Security Operations | +| Person inside building after badge deactivated | Security Operations | Incident Response | +| API notification fails (system error) | Integration contractor on-call | Client IT Manager | + +--- + +## 9. Audit & Compliance + +All JML events are logged with: +- Timestamp (UTC) +- Source (extract delta / manual API) +- Actor (who triggered the notification) +- Actions taken (badge deactivated, alert raised, etc.) +- Acknowledgement timestamp (for security alerts) + +Audit logs are retained for **2 years** and accessible to the client's security and compliance teams via a read-only report interface. + +--- + +## 10. Review Cadence + +| Activity | Frequency | +|----------|-----------| +| JML process review | Quarterly | +| Stale badge audit (badges with no entry events in 90 days) | Monthly | +| Contractor expiry review | Monthly | +| Extract delivery SLA performance review | Monthly | diff --git a/docs/security-integration/03-cost-breakdown.md b/docs/security-integration/03-cost-breakdown.md new file mode 100644 index 00000000..c5c71d00 --- /dev/null +++ b/docs/security-integration/03-cost-breakdown.md @@ -0,0 +1,147 @@ +# Project Cost Breakdown — Integrated Security Operations Platform + +**Document:** COST-BREAKDOWN-v2.0 (Revised — Honest Estimates) +**Classification:** Commercial in Confidence +**Prepared for:** Client Presentation + +> This is an **integration project**, not a platform build. All four source systems +> (ACT, Condecco, Booking, Active Directory) already exist and already hold the data. +> The work is connecting them, not building them. Costs reflect that reality. + +--- + +## 1. What We Are Actually Building + +``` +EXISTING (client already owns) WE ADD (integration only) +────────────────────────────── ───────────────────────── +ACT door control ──────────► Thin integration service +Condecco visitor system ──────────► (reads APIs, no new UI needed +Booking system ──────────► in source systems) +AD daily extract ──────────► + + Identity registry (small DB) + Occupancy state (simple logic) + Single dashboard (Power BI / + Grafana or lightweight web app) + Evacuation tablet view + Leaver alert workflow +``` + +This is **not** an enterprise platform. It is a focused integration service with a dashboard on top. A single skilled developer can deliver it. + +--- + +## 2. Honest Build Cost + +### Assumptions +- 1 developer, using modern tooling (AI-assisted development, existing open-source libraries) +- APIs for ACT, Condecco, and Booking are documented and accessible +- Client IT team delivers the AD extract (their effort, not billable to this project) +- Dashboard uses Power BI (if client has M365 licence — likely free) or Grafana (open source) +- Hosting on Azure or AWS — client may already have a subscription + +--- + +### Phase Breakdown + +| Phase | What Gets Built | Days | Cost (£700/day) | +|-------|----------------|------|-----------------| +| **1. Discovery & Identity Mapping** | API access confirmed, badge→email linkage, identity registry DB schema | 3 | £2,100 | +| **2. Integrations** | ACT event feed, Condecco API, Booking API, AD extract ingestion | 6 | £4,200 | +| **3. Occupancy Logic** | Entry/exit state, zone tracking, end-of-day clear | 3 | £2,100 | +| **4. Dashboard & Evacuation View** | Live occupancy (Power BI / Grafana), evacuation tablet view, PDF export | 4 | £2,800 | +| **5. Leaver Alerts & Testing** | Anomaly alerts, JML notifications, end-to-end testing, UAT | 4 | £2,800 | +| **Contingency (20%)** | API surprises, client-side delays, extra testing | 4 | £2,800 | +| **Total** | | **24 days** | **£16,800** | + +> **Day rate note:** £700/day reflects an independent developer or small agency. +> A large consultancy would charge £1,200–£1,800/day for the same work — that is +> where inflated quotes come from. The work is the same. + +--- + +### What Affects Cost Up or Down + +| Factor | Reduces Cost | Increases Cost | +|--------|-------------|----------------| +| ACT API quality | Well-documented REST API | No API — requires log file parsing or vendor engagement | +| Condecco API availability | Standard REST/webhooks | Custom export only | +| Client has M365 / Power BI | Dashboard near-free | Need to build custom UI (+3–5 days) | +| Client hosts infrastructure | Saves ongoing cost | N/A | +| AD extract already automated | -1 day | Manual extract requires scripting support | + +**Realistic range: £12,000 – £22,000 build cost.** + +--- + +## 3. Infrastructure — Annual Running Cost + +> The client likely already has cloud infrastructure. If so, these costs may be near zero. + +| Component | Option A: Client's existing Azure/AWS | Option B: Contractor-hosted | +|-----------|--------------------------------------|----------------------------| +| App hosting | £0 (existing subscription) | £50–£80/month | +| Database (PostgreSQL) | £0 or minimal | £30–£60/month | +| Dashboard (Power BI) | £0 (M365 licence) | £20–£50/month (Grafana Cloud) | +| Storage & backups | £0 or minimal | £10–£20/month | +| **Annual total** | **£0 – £500** | **£1,320 – £2,520** | + +--- + +## 4. Ongoing Support + +This is a simple integration — not a complex platform requiring a managed service team. + +| Support Type | What It Covers | Annual Cost | +|-------------|----------------|------------| +| Break-fix maintenance | Fix issues if an API changes or extract fails | £1,500 – £3,000 | +| Minor enhancements | 1–2 small improvements per year | £700 – £2,100 | +| Annual health check | Review, update dependencies, test evacuation export | £700 | +| **Total annual support** | | **£2,900 – £5,800** | + +> After handover with full documentation, a client with an internal IT team can +> self-support. External support is optional, not mandatory. + +--- + +## 5. Total Cost of Ownership (3-Year) + +| | Low Estimate | High Estimate | +|--|-------------|--------------| +| **Build (one-off)** | £12,000 | £22,000 | +| **Year 1 infrastructure** | £0 | £2,520 | +| **Year 1 support** | £2,900 | £5,800 | +| **Year 1 Total** | **£14,900** | **£30,320** | +| Year 2 (operate only) | £2,900 | £8,320 | +| Year 3 (operate only) | £2,900 | £8,320 | +| **3-Year Total** | **£20,700** | **£46,960** | + +--- + +## 6. Comparison: What You Are Paying For vs. What You Already Have + +| Capability | Today (Free — Already Exists) | After Integration | +|-----------|------------------------------|-------------------| +| Employee evacuation list | ✓ ACT can export this | ✓ Same, plus automated | +| Visitor on evacuation list | ✗ Manual Condecco check | ✓ Automatic | +| Contractor on evacuation list | ✗ Separate sign-in sheet | ✓ Automatic | +| Leaver badge detection | ✗ Manual / ad hoc | ✓ Automated, same day | +| Live occupancy view | ✗ Not available | ✓ Real-time dashboard | +| Audit trail for regulators | ✗ Three separate exports | ✓ Single timestamped log | + +**The honest value add is narrow but meaningful:** +you are paying £12,000–£22,000 to close the visitor/contractor gap, +automate the leaver risk, and have one screen instead of three phone calls. + +--- + +## 7. Payment Milestones + +| Milestone | % | Amount (mid estimate) | +|-----------|---|----------------------| +| Contract signed | 25% | £4,250 | +| Systems connected (Phase 2 complete) | 35% | £5,950 | +| Go-live (dashboard + evacuation live) | 30% | £5,100 | +| 30-day post go-live sign-off | 10% | £1,700 | +| **Total** | | **£17,000** | diff --git a/docs/security-integration/04-client-slide-deck.md b/docs/security-integration/04-client-slide-deck.md new file mode 100644 index 00000000..717d9c75 --- /dev/null +++ b/docs/security-integration/04-client-slide-deck.md @@ -0,0 +1,517 @@ +# Slide Deck: Integrated Security Operations Platform +## "Your Systems Are 80% There. We Close the 20% That Matters." + +**Version 2.0 — Honest Positioning** + +> **Presenter notes** shown in `> blockquote` format after each slide. +> Designed for a 20-minute client presentation + 10 minutes Q&A. +> 13 content slides + title + close. + +--- + +--- + +## SLIDE 1 — TITLE SLIDE + +``` +┌─────────────────────────────────────────────────────────┐ +│ │ +│ INTEGRATED SECURITY OPERATIONS PLATFORM │ +│ │ +│ Your systems are 80% there. │ +│ We close the 20% that matters. │ +│ │ +│ ───────────────────────────────────────── │ +│ │ +│ Presented to: [CLIENT NAME] │ +│ Prepared by: [CONTRACTOR NAME] │ +│ Date: June 2026 │ +│ │ +└─────────────────────────────────────────────────────────┘ +``` + +> "I want to start by saying something you don't usually hear in a pitch: +> your current setup is actually pretty good. ACT gives you an evacuation +> list. Your floor wardens know their people. IT can pull an AD export. +> Today I am going to show you the specific gaps that still exist — and +> explain why closing them is worth a modest investment." + +--- + +--- + +## SLIDE 2 — WHAT YOU ALREADY HAVE (AND IT IS GOOD) + +### Your Current Process Works for Most Scenarios + +| What You Have | What It Does Well | +|--------------|-------------------| +| **ACT (Vanderblitz)** | Produces an evacuation list of badged-in employees instantly | +| **Floor Wardens** | Know their regular team members by name and face | +| **Condecco** | Logs every visitor who signed in at reception | +| **IT / AD** | Can pull a full list of active employees on request | + +**For a routine fire drill on a normal Wednesday: this works.** + +A warden pulls the ACT list, knows their floor, confirms their team. +The drill runs. The register is signed. Done. + +> "We are not here to tell you your current process is broken. It isn't — +> for the 80% case. What we want to talk about is the other 20%." + +--- + +--- + +## SLIDE 3 — THE 20% THAT STILL FAILS + +### Three Specific Scenarios Where the Current Process Has a Gap + +--- + +**Gap 1 — The Visitor Who Isn't on the ACT List** + +> *It's 2pm on a Tuesday. A client group of four arrived at 1pm and signed into +> Condecco. They are on Floor 3 with your Sales team. The fire alarm sounds.* + +- ACT evacuation list: does not include them (no ACT badge — visitor pass only) +- Floor warden: may not know they are there if the Sales host didn't mention it +- Condecco: has the record — but it's on a desktop at reception, two floors away + +**Result: four unaccounted persons at the muster point.** + +--- + +**Gap 2 — The Contractor Who Falls Between Systems** + +> *A facilities contractor has been on site for three weeks on a temporary ACT badge. +> They finish their contract today and hand back the badge. Or they don't.* + +- ACT: badge may still be active (nobody told Facilities it expired) +- Condecco: contractor may not be registered (Condecco is for visitors, not contractors) +- Floor warden: may not know this person's name or whether they left + +--- + +**Gap 3 — The Leaver Whose Badge Was Never Deactivated** + +> *An employee resigned two weeks ago. IT disabled their email and AD account. +> Nobody told Facilities. The ACT badge is still active.* + +- Floor warden: sees a familiar face, assumes they still work there +- ACT list: still shows them as an employee +- No system flags this as unusual + +> "None of these are edge cases. In a building of your size, Gap 1 happens +> every day. Gap 3 is almost certainly present right now — the average +> organisation has 3–5% of active badges assigned to people who have left." + +--- + +--- + +## SLIDE 4 — WHAT WE ARE NOT PROPOSING + +### Let's Be Clear About Scope + +**We are NOT proposing:** +- ❌ Replacing ACT, Condecco, or your Booking system +- ❌ A large enterprise platform with years of implementation +- ❌ A system that changes how your floor wardens work +- ❌ A £100,000+ project + +**We ARE proposing:** +- ✓ A thin integration layer that connects what you already own +- ✓ One screen that combines ACT + Condecco + Booking into a single view +- ✓ An automated alert when a badge is active but the AD account is disabled +- ✓ A tablet app for wardens — same job, complete data, no phone calls +- ✓ Delivered in 8 weeks by a small team at a realistic cost + +> "This is a focused piece of work. We are not selling you a platform. +> We are selling you the joins between platforms you already paid for." + +--- + +--- + +## SLIDE 5 — THE SPECIFIC VALUE ADD + +### What Changes — and What Stays the Same + +``` +TODAY AFTER INTEGRATION +───── ───────────────── + +Warden pulls ACT list → Same list, plus visitors + (employees only) and contractors included + +Warden phones reception → Visitor list already on + to check visitor log the tablet + +Warden checks sign-in sheet → Contractors in Condecco + for contractors automatically included + +IT notified manually of → AD extract flags leaver + leavers (sometimes) badge automatically + +Three separate exports for → Single timestamped log, + regulatory report exportable on demand +``` + +**Your wardens do the same job. They just have complete information.** + +> "The warden's role does not change. The process does not change. +> The difference is that when they stand at the muster point, they +> are not missing four visitors and wondering about the contractor +> who may or may not have left last Tuesday." + +--- + +--- + +## SLIDE 6 — HOW IT WORKS (SIMPLE VERSION) + +### We Read From Your Systems. We Add Nothing to Them. + +``` + ACT sends badge Condecco logs AD extract + events in real time visitor check-in/out arrives each morning + │ │ │ + └──────────────────────┴──────────────────────┘ + │ + ┌───────────▼───────────┐ + │ Integration Layer │ + │ (runs in the │ + │ background, │ + │ always on) │ + └───────────┬───────────┘ + │ + ┌────────────────┼────────────────┐ + │ │ │ + ┌──────▼──────┐ ┌──────▼──────┐ ┌─────▼──────┐ + │ Live │ │ Evacuation │ │ Leaver │ + │ Occupancy │ │ List │ │ Alerts │ + │ Dashboard │ │ (tablet) │ │ │ + └─────────────┘ └─────────────┘ └────────────┘ +``` + +- ACT, Condecco, and your Booking system are **unchanged** +- The integration layer runs quietly in the background +- Wardens see one app on a tablet — that is the only new thing they touch + +--- + +--- + +## SLIDE 7 — THE EVACUATION LIST IN PRACTICE + +### What a Warden Sees on Their Tablet + +``` +EVACUATION LIST — FLOOR 3 ⏱ Generated: 14:32:09 ● LIVE +═══════════════════════════════════════════════════════════════════ + + EMPLOYEES (18) + ✓ Alice Brown Engineering Entry 08:51 + ✓ James Okafor Sales Entry 09:14 + ... (16 more) + + VISITORS (4) ◄── these were missing before + ✓ Sarah Chen Host: J.Okafor Entry 13:02 + ✓ Marcus Webb Host: J.Okafor Entry 13:02 + ✓ Priya Nair Host: J.Okafor Entry 13:02 + ✓ Tom Hasegawa Host: J.Okafor Entry 13:02 + + CONTRACTORS (1) ◄── this was missing before + ✓ R. Santos Facilities Entry 07:30 + + ───────────────────────────────────────────────────── + TOTAL ON FLOOR: 23 ACCOUNTED FOR: [ ] 23/23 + + ⚠ 1 ANOMALY: D. Miller — badge active, AD account + disabled 2 days ago. Check with Security. + + [ PDF EXPORT FOR FIRE REPORT ] +``` + +> "Notice the visitors. Notice the contractor. Notice the anomaly flag. +> None of that appears on today's ACT-only list. This is not a different +> process — it is the same process with the gaps closed." + +--- + +--- + +## SLIDE 8 — THE LEAVER PROBLEM (SPECIFIC AND PROVABLE) + +### This Is Happening Right Now in Your Organisation + +**The typical numbers (industry benchmark):** +- Organisations with 200–500 employees: average **8–15 orphaned active badges** at any given time +- Time from AD disable to badge deactivation (manual process): **3–10 days average** +- Cost of a physical security incident from an ex-employee: **£20,000–£200,000** (legal, investigation, remediation) + +**What the integration does:** + +``` +Morning extract arrives (06:00) + │ + ▼ +Platform compares to yesterday's extract + │ + ▼ +Detects: D. Miller — account_enabled changed to FALSE + │ + ▼ +Automatic notification to Facilities: +"David Miller's AD account was disabled yesterday. + ACT badge EMP-0442 should be reviewed for deactivation." + │ + ▼ +Facilities deactivates badge — same day, not next week +``` + +**No new process for IT. No new process for HR. One notification instead of nothing.** + +> "Your IT team already disables the AD account. They are already doing +> the right thing. We just make sure Facilities hears about it automatically +> — instead of hoping someone remembers to send an email." + +--- + +--- + +## SLIDE 9 — WHAT ABOUT AD ACCESS? + +### The Contractor Does Not Need Live AD Connectivity + +> *You may be wondering: how does the contractor read from Active Directory +> without being given access to our directory?* + +**Answer: they don't need live access. They never touch your AD.** + +``` +YOUR IT TEAM CONTRACTOR +──────────── ────────── +Runs a scheduled script → Receives an encrypted +(overnight, automated) file each morning + +Script exports minimum Platform ingests it, +required fields only: detects changes, +name, email, department, sends alerts +account status, floor +``` + +- Your IT team runs a PowerShell script (we provide it — 10 minutes to set up) +- Script runs overnight, drops an encrypted file to a secure endpoint +- Contractor receives data, never connects to your AD +- **Best practice: external contractors should not have AD access. This design enforces that.** + +--- + +--- + +## SLIDE 10 — HONEST COST + +### What This Actually Costs — No Inflated Consulting Fees + +> *This is an integration project. We are connecting four APIs and building +> a dashboard. We will be honest about what that is worth.* + +``` +BUILD (one-off) +─────────────── + Discovery + identity mapping: £2,100 + API integrations (all 4 systems): £4,200 + Occupancy logic: £2,100 + Dashboard + evacuation tablet view: £2,800 + Alerts + testing + UAT: £2,800 + Contingency (20%): £2,800 + ───────────────────────────────────────────── + TOTAL BUILD: £16,800 + +ANNUAL RUNNING COST +─────────────────── + Infrastructure (if on your Azure): £0 – £500 + Support & maintenance: £2,900 – £5,800 + ───────────────────────────────────────────── + ANNUAL TOTAL: £2,900 – £6,300 + +3-YEAR TOTAL: £22,600 – £35,400 +``` + +**Payment tied to delivery milestones — you pay as we deliver, not upfront.** + +> "We are not a large consultancy charging £1,500 a day to staff a team of +> six. This is a focused piece of work. A skilled developer with the right +> tools can deliver it in 6–8 weeks. We are pricing it honestly." + +--- + +--- + +## SLIDE 11 — IS IT WORTH IT? + +### A Direct Comparison + +**What you have today — and it costs nothing extra:** +- ACT evacuation list (employees only) ✓ +- Floor wardens (know their regulars) ✓ +- IT can export AD users (on request, not real-time) ✓ +- Condecco visitor log (at reception, not at muster point) ✓ + +**What you get after integration — for £16,800 build:** +- Evacuation list includes visitors and contractors ✓ +- Warden has everything on a tablet, at the muster point ✓ +- Leaver badges flagged automatically, same day ✓ +- Single audit log for regulatory reporting ✓ +- Live occupancy dashboard ✓ + +**The honest question to ask:** + +> *"If we have a real emergency — not a drill, a real one — at 2pm +> on a day when we have visitors on three floors and two contractors +> in the building, how confident are we that the current process +> accounts for every person?"* + +If the answer is "not fully confident" — this project closes that gap for the cost of one regulatory fine, one legal incident, or roughly 24 days of a facilities manager's time spent on manual reconciliation. + +--- + +--- + +## SLIDE 12 — DELIVERY TIMELINE + +### 8 Weeks. Working Software. Nothing Theoretical. + +``` +Week 1–2 Week 3–4 Week 5–6 Week 7–8 +──────── ──────── ──────── ──────── +Discovery Integrations Dashboard & Testing, +& Identity ───────────── Evacuation UAT & +Mapping ACT connected View Go-Live +────────── Condecco ───────────── ──────── +API access connected Warden tablet Wardens +confirmed Booking app live trained + connected Leaver alerts Docs +Badge→email AD extract active handed +linkage ingesting over +complete +``` + +**End of Week 8:** Your wardens have the tablet app. The leaver alerts are running. The dashboard is live. + +**No phased multi-year rollout. No steering committees. Working software in 8 weeks.** + +--- + +--- + +## SLIDE 13 — WHAT WE NEED FROM YOU + +### Minimal Asks — Mostly Access, Not Effort + +| What We Need | Who Provides It | Time Required | +|-------------|----------------|---------------| +| ACT API credentials / documentation | Vanderblitz / your Facilities team | 1 hour | +| Condecco API access | Your Facilities / IT team | 30 minutes | +| Booking system API or DB read access | Your IT team | 1 hour | +| AD extract setup (we provide the script) | Your IT administrator | 2 hours (one-off) | +| Named project contact | You | Ongoing — 30 min/week | +| UAT sign-off (end of Week 7) | Facilities manager + 1–2 wardens | 2 hours | + +**Total client effort: approximately 8 hours across 8 weeks.** + +--- + +--- + +## SLIDE 14 — NEXT STEPS + +### Simple Decision. Quick Start. + +``` + THIS WEEK NEXT WEEK WEEK 2–3 WEEK 4 + ───────── ───────── ──────── ────── + Agree to API access Contract Work + proceed shared signed begins + │ │ │ │ + ▼ ▼ ▼ ▼ + Nominate 30-minute Agree Discovery + a project call with milestones workshop + contact IT/Facilities and KPIs +``` + +**Success measure we will agree upfront:** + +On completion, a fire warden starts a drill, opens the tablet app, and the evacuation list includes every employee, visitor, and contractor currently in the building — generated in under 10 seconds. + +That is the deliverable. That is what you are paying for. + +--- + +**Questions?** + +Contact: [Contractor Name] +Email: [contact@contractor.com] + +--- + +> Close with: "You already have good systems and good people. What you don't +> have is a single view that brings them together at the moment it matters most. +> We can build that join in 8 weeks for less than the cost of one serious incident. +> That is the whole pitch." + +--- + +--- + +## APPENDIX — FOR TECHNICAL STAKEHOLDERS + +### What We Are Actually Building (Honest Technical Scope) + +``` +COMPONENTS TECHNOLOGY +────────── ────────── +Integration service Node.js or Python — lightweight, + runs on a single small VM or + Azure Function / AWS Lambda + +Identity registry PostgreSQL — single table of + ~500–2000 person records + +Occupancy state In-memory + DB — simple entry/exit + counter per zone, reset daily + +Dashboard Power BI (if M365 licence exists) + or Grafana (open source, free) + or lightweight React app (if custom + look/feel required — adds 3 days) + +Evacuation tablet view Responsive web app — works on any + tablet browser, no app store required + +Alerting Email + Teams webhook — no additional + platform required + +AD extract ingestion Scheduled job reads JSON/CSV drop + from SFTP or HTTPS endpoint +``` + +### What Could Make It More Expensive + +| Scenario | Additional Cost | +|----------|----------------| +| ACT has no REST API — requires log file parsing | +£2,000–£4,000 | +| Condecco requires vendor engagement for API access | +£1,000–£2,000 | +| Client requires custom-branded dashboard (not Power BI/Grafana) | +£2,000–£3,500 | +| High-availability / failover hosting required | +£1,500–£3,000/yr | +| Client requires ISO 27001-aligned delivery documentation | +£1,500 | + +### What Makes It Cheaper + +| Scenario | Saving | +|----------|--------| +| Client hosts on existing Azure subscription | -£1,320–£2,520/yr | +| Client has Power BI (M365) — no dashboard build needed | -£1,400 | +| AD extract script already exists | -£700 |