From c155081011cd82db635df837d137da9aa770d230 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 3 Jun 2026 06:39:12 +0000 Subject: [PATCH 1/2] Add integrated security platform documentation suite Includes AD extract specification, JML process flow, cost breakdown, and client-facing slide deck for the unified occupancy/evacuation platform. https://claude.ai/code/session_01VQ2Vk1qd2nMMQKD4MM5KQs --- .../01-ad-extract-specification.md | 199 +++++++ .../02-jml-process-flow.md | 329 ++++++++++++ .../security-integration/03-cost-breakdown.md | 199 +++++++ .../04-client-slide-deck.md | 486 ++++++++++++++++++ 4 files changed, 1213 insertions(+) create mode 100644 docs/security-integration/01-ad-extract-specification.md create mode 100644 docs/security-integration/02-jml-process-flow.md create mode 100644 docs/security-integration/03-cost-breakdown.md create mode 100644 docs/security-integration/04-client-slide-deck.md diff --git a/docs/security-integration/01-ad-extract-specification.md b/docs/security-integration/01-ad-extract-specification.md new file mode 100644 index 00000000..7a4017dc --- /dev/null +++ b/docs/security-integration/01-ad-extract-specification.md @@ -0,0 +1,199 @@ +# Active Directory Data Extract — Technical Specification + +**Document:** AD-EXTRACT-SPEC-v1.0 +**Audience:** Client IT Team / Active Directory Administrators +**Purpose:** Define the minimum AD data extract required by the integration platform when live AD connectivity is not available to the contractor + +--- + +## 1. Overview + +The integration platform requires a daily snapshot of Active Directory user accounts to: + +- Maintain a local identity registry used as the canonical source of person identity +- Detect joiners, movers, and leavers (JML) without live directory access +- Enrich occupancy and evacuation records with department, manager, and status information +- Flag anomalies (e.g. disabled accounts with active building access) + +This extract does **not** require the contractor to have any direct AD connectivity. It is produced by client IT infrastructure and delivered to the contractor's integration endpoint via an agreed secure transfer mechanism. + +--- + +## 2. Delivery Specification + +| Parameter | Value | +|-----------|-------| +| Format | JSON (preferred) or CSV | +| Frequency | Daily — delivered by **06:00 local time** | +| Transfer method | SFTP to contractor-hosted endpoint **or** HTTPS POST to integration API | +| Encryption | PGP encryption required if SFTP; TLS 1.2+ minimum if HTTPS | +| Filename convention | `ad_extract_YYYYMMDD.json` | +| Retention on source | Client retains 30 days of extract files | +| Alerting | If extract is not received by 07:00, integration platform raises an alert to both parties | + +--- + +## 3. Required Fields + +### 3.1 Employee / Permanent Staff + +```json +{ + "extract_date": "2026-06-03", + "extract_type": "full", + "users": [ + { + "employee_id": "EMP-1042", + "sam_account_name": "jsmith", + "display_name": "John Smith", + "email": "john.smith@company.com", + "department": "Engineering", + "job_title": "Senior Engineer", + "manager_email": "jane.doe@company.com", + "office_location": "Building A", + "floor": "Floor 2", + "cost_centre": "CC-4400", + "account_enabled": true, + "account_expires": null, + "last_modified": "2026-05-01T09:00:00Z", + "person_type": "EMPLOYEE" + } + ] +} +``` + +### 3.2 Contractors with AD Accounts + +```json +{ + "employee_id": "CONT-0055", + "sam_account_name": "b.builder.ext", + "display_name": "Bob Builder", + "email": "b.builder@bobbuilderco.com", + "department": "Facilities", + "job_title": "Contractor", + "manager_email": "facilities.manager@company.com", + "office_location": "Building A", + "floor": null, + "cost_centre": "CC-9900", + "account_enabled": true, + "account_expires": "2026-09-30T23:59:59Z", + "last_modified": "2026-04-15T08:00:00Z", + "person_type": "CONTRACTOR" +} +``` + +--- + +## 4. Field Definitions + +| Field | Type | Required | Description | +|-------|------|----------|-------------| +| `employee_id` | string | **Yes** | Unique employee or contractor reference. Must match value stored in ACT badge system. | +| `sam_account_name` | string | **Yes** | AD logon name. Used as secondary deduplication key. | +| `display_name` | string | **Yes** | Full name as displayed in directory. | +| `email` | string | **Yes** | Primary SMTP address. **Used as the common join key across all integrated systems.** | +| `department` | string | **Yes** | Organisational department. Used for evacuation list grouping. | +| `job_title` | string | No | Role/position title. | +| `manager_email` | string | No | Direct manager's email address. Used to group evacuation lists by team. | +| `office_location` | string | **Yes** | Building or campus identifier. Filters records relevant to this deployment. | +| `floor` | string | No | Assigned floor, if known. Supplements ACT zone data. | +| `cost_centre` | string | No | Finance cost centre code. | +| `account_enabled` | boolean | **Yes** | `true` = active account. `false` = disabled/suspended. Critical for leaver detection. | +| `account_expires` | ISO 8601 or null | No | If set, account will auto-disable on this date. Used for proactive contractor badge expiry alerts. | +| `last_modified` | ISO 8601 | **Yes** | Timestamp of last change to the AD record. Used for delta detection. | +| `person_type` | enum | **Yes** | One of: `EMPLOYEE`, `CONTRACTOR`, `SERVICE_ACCOUNT`. Service accounts excluded from occupancy logic. | + +--- + +## 5. Delta Detection Logic + +The integration platform compares each day's extract to the previous day using `employee_id` as the primary key and `last_modified` as a change indicator. + +``` +NEW record → person_type = EMPLOYEE/CONTRACTOR → Joiner workflow +MISSING record → was present yesterday → Leaver workflow (flag ACT badge for review) +account_enabled: true → false → Leaver/suspension workflow +account_expires within 14 days → Expiry warning to facilities team +department/floor changed → Mover workflow (update occupancy zone mapping) +``` + +--- + +## 6. Scope Filtering + +To avoid processing records for other sites, the extract should be pre-filtered by the client to include only users where `office_location` matches the relevant building(s). Alternatively, a full extract can be delivered and filtered on ingestion — confirm approach with client IT. + +--- + +## 7. PowerShell Export Script (Reference) + +The following script can be run by client AD administrators to generate the extract. It requires the `ActiveDirectory` PowerShell module. + +```powershell +Import-Module ActiveDirectory + +$extractDate = Get-Date -Format "yyyyMMdd" +$outputPath = "C:\ADExtracts\ad_extract_$extractDate.json" + +$users = Get-ADUser -Filter {Enabled -eq $true -or Enabled -eq $false} ` + -Properties EmployeeID, DisplayName, EmailAddress, Department, Title, ` + Manager, Office, AccountExpirationDate, Enabled, ` + WhenChanged, extensionAttribute1 | + Where-Object { $_.Office -like "*Building A*" } | + Select-Object @{N='employee_id';E={$_.EmployeeID}}, + @{N='sam_account_name';E={$_.SamAccountName}}, + @{N='display_name';E={$_.DisplayName}}, + @{N='email';E={$_.EmailAddress}}, + @{N='department';E={$_.Department}}, + @{N='job_title';E={$_.Title}}, + @{N='manager_email';E={ + if ($_.Manager) { + (Get-ADUser $_.Manager -Properties EmailAddress).EmailAddress + } else { $null } + }}, + @{N='office_location';E={$_.Office}}, + @{N='floor';E={$_.extensionAttribute1}}, + @{N='account_enabled';E={$_.Enabled}}, + @{N='account_expires';E={ + if ($_.AccountExpirationDate) { + $_.AccountExpirationDate.ToString("o") + } else { $null } + }}, + @{N='last_modified';E={$_.WhenChanged.ToString("o")}}, + @{N='person_type';E={ + if ($_.SamAccountName -like "*.ext") { "CONTRACTOR" } + elseif ($_.SamAccountName -like "svc.*") { "SERVICE_ACCOUNT" } + else { "EMPLOYEE" } + }} + +$output = @{ + extract_date = (Get-Date -Format "yyyy-MM-dd") + extract_type = "full" + users = $users +} + +$output | ConvertTo-Json -Depth 5 | Out-File -FilePath $outputPath -Encoding UTF8 +Write-Host "Extract written to $outputPath — $($users.Count) records" +``` + +--- + +## 8. Data Protection Notes + +- The extract contains personal data and is subject to applicable data protection legislation (e.g. UK GDPR / POPIA) +- The contractor must store the extract in an encrypted datastore and retain only the current and previous day's extract +- Extract files must not be shared with third parties +- A Data Processing Agreement (DPA) must be in place between client and contractor before first extract is delivered + +--- + +## 9. Acceptance Criteria + +| Test | Expected Result | +|------|----------------| +| Extract delivered by 06:00 | Alert suppressed | +| Extract not delivered by 07:00 | Alert raised to both parties | +| Employee in yesterday's extract missing today | Leaver workflow triggered within 15 minutes of ingestion | +| `account_enabled` flips to `false` | Badge review alert sent to facilities team | +| New employee appears | Joiner record created in identity registry | diff --git a/docs/security-integration/02-jml-process-flow.md b/docs/security-integration/02-jml-process-flow.md new file mode 100644 index 00000000..c1dab97a --- /dev/null +++ b/docs/security-integration/02-jml-process-flow.md @@ -0,0 +1,329 @@ +# Joiner / Mover / Leaver (JML) Process Flow + +**Document:** JML-PROCESS-v1.0 +**Audience:** Client IT Team, Facilities Management, HR, Security Operations +**Purpose:** Define the end-to-end process for managing identity lifecycle events in the integrated security platform when Active Directory live access is not available + +--- + +## 1. Overview + +Without live AD connectivity, identity lifecycle events (joiners, movers, leavers) must be managed through a combination of: + +1. **Daily AD extract** — automated detection of changes +2. **Manual notification workflow** — for time-critical events (especially leavers) where the 24-hour extract cycle is insufficient +3. **Compensating controls** — badge expiry policies and Condecco contractor management + +The process below defines responsibilities for each party and the expected response times. + +--- + +## 2. Responsible Parties + +| Role | Responsibility | +|------|---------------| +| **HR** | Notify IT of new starters and leavers as early as possible | +| **IT / AD Administrator** | Manage AD accounts; trigger manual notifications for same-day leavers | +| **Facilities / Physical Security** | Manage ACT badge provisioning and revocation | +| **Contractor (Integration Team)** | Operate the integration platform; process notifications and extracts | +| **Line Manager** | Confirm leaver return of badge; approve mover access changes | + +--- + +## 3. JOINER WORKFLOW + +### Trigger +- New employee or contractor appears in the daily AD extract (new `employee_id` not seen previously) +- **Or** HR submits a manual joiner notification via the agreed channel + +### Process Flow + +``` +HR raises new starter request + │ + ▼ +IT creates AD account +(sets employee_id, email, department, office_location, person_type) + │ + ▼ +AD extract delivered next morning (06:00) + │ + ▼ +Integration platform detects new record + │ + ▼ +Identity registry updated: + - New person record created + - Linked to email as primary key + │ + ▼ +Facilities notified: "New joiner — badge provisioning required" + - Name, employee_id, department, floor, start date + │ + ▼ +Facilities provisions ACT badge + - Badge assigned employee_id as external reference + - Badge type: PERM or CONT + - Expiry: 90 days (renewable) for contractors / no expiry for employees + │ + ▼ +ACT badge ID written back to identity registry +(Facilities team updates via integration portal or CSV upload) + │ + ▼ +Person is now fully tracked: + Occupancy ✓ | Evacuation list ✓ | Anomaly detection ✓ +``` + +### SLAs + +| Event | Target | +|-------|--------| +| AD account created before first day | T-1 working day | +| Integration platform detects new record | Within 2 hours of extract delivery | +| Facilities notified | Within 2 hours of extract delivery | +| Badge provisioned | By end of day 1 | + +--- + +## 4. MOVER WORKFLOW + +### Trigger +- Employee changes department, floor, or office location +- `department`, `floor`, or `office_location` field changes between two consecutive extracts + +### Process Flow + +``` +HR / Line Manager raises change request + │ + ▼ +IT updates AD record +(department, office_location, floor, manager_email) + │ + ▼ +AD extract next morning reflects change + │ + ▼ +Integration platform detects field change via last_modified delta + │ + ▼ +Identity registry updated: + - Department / floor mapping updated + - Evacuation zone assignment recalculated + │ + ▼ +If new location requires different ACT access group: + Facilities notified: "Access group update required for [Name]" + │ + ▼ +Facilities updates ACT access groups + │ + ▼ +Change confirmed — no further action required +``` + +### SLAs + +| Event | Target | +|-------|--------| +| AD record updated | Same day as move | +| Integration platform reflects change | Next morning after extract | +| ACT access group updated | Within 1 working day of notification | + +--- + +## 5. LEAVER WORKFLOW + +> **This is the highest-risk workflow.** A leaver with an active badge and a disabled AD account is a physical security risk. Two paths exist depending on urgency. + +--- + +### 5A. PLANNED LEAVER (Notice Period Known) + +``` +HR confirms last working day (LWD) to IT and Facilities + │ + ▼ +IT schedules AD account disable for LWD end of day + │ + ▼ +Facilities schedules badge deactivation for LWD end of day + │ + ▼ +On LWD: + IT disables AD account + Facilities deactivates ACT badge + │ + ▼ +Next morning AD extract confirms account_enabled = false + │ + ▼ +Integration platform validates badge is already deactivated + If badge still active → ESCALATION ALERT sent to Facilities and Security + │ + ▼ +Identity registry updated: + Person record marked LEAVER + Retained for 90 days for audit / evacuation history + Removed from active occupancy model +``` + +--- + +### 5B. UNPLANNED / IMMEDIATE LEAVER (Dismissal / Resignation Same Day) + +> **24-hour extract cycle is too slow for this case. Manual notification is mandatory.** + +``` +HR / Line Manager confirms immediate leaver to IT and Security + │ + ├──────────────────────────────────┐ + ▼ ▼ +IT disables AD account immediately Facilities deactivates +(within 30 minutes of decision) ACT badge immediately + │ │ + └──────────────┬───────────────────┘ + ▼ +IT sends MANUAL LEAVER NOTIFICATION to integration platform: + + POST /api/jml/leaver + { + "employee_id": "EMP-1042", + "email": "john.smith@company.com", + "effective_datetime": "2026-06-03T14:30:00Z", + "reason": "IMMEDIATE_LEAVER", + "notified_by": "hr.admin@company.com" + } + │ + ▼ +Integration platform immediately: + 1. Marks person as LEAVER in identity registry + 2. Removes from active occupancy model + 3. If person has an active entry event (currently inside building): + → ALERT sent to Security Operations: "Immediate leaver may still be on premises" + → Evacuation list flags person as [ACCESS REVOKED] + │ + ▼ +Security confirms person has left the building + (badge return confirmed or CCTV verified) + │ + ▼ +Security acknowledges alert in integration portal + Record closed +``` + +### SLAs — Immediate Leaver + +| Action | Target | +|--------|--------| +| IT disables AD account | Within 30 minutes | +| Facilities deactivates badge | Within 30 minutes | +| Manual API notification sent | Within 30 minutes | +| Integration platform processes notification | Within 5 minutes | +| Security alert raised if person inside building | Immediate (automated) | + +--- + +## 6. CONTRACTOR EXPIRY WORKFLOW + +Contractors typically have `account_expires` set on their AD account. + +``` +14 days before expiry: + Integration platform sends warning: + "Contractor [Name] badge expires on [date] — renew or confirm departure" + │ + ├── Manager confirms renewal → IT extends account_expires + │ → Facilities extends badge expiry + │ + └── Manager confirms departure → LEAVER workflow triggered + → Badge deactivated on expiry date +``` + +--- + +## 7. Manual Notification API + +When the daily extract is insufficient, IT uses the following API endpoints: + +### Immediate Leaver +``` +POST /api/v1/jml/leaver +Authorization: Bearer +Content-Type: application/json + +{ + "employee_id": "EMP-1042", + "email": "john.smith@company.com", + "effective_datetime": "2026-06-03T14:30:00Z", + "reason": "IMMEDIATE_LEAVER | DISMISSAL | SUSPENSION", + "notified_by": "it.admin@company.com" +} +``` + +### Planned Leaver +``` +POST /api/v1/jml/leaver +{ + "employee_id": "EMP-1042", + "email": "john.smith@company.com", + "effective_datetime": "2026-06-13T17:00:00Z", + "reason": "RESIGNATION", + "notified_by": "hr.admin@company.com" +} +``` + +### Manual Joiner (before extract) +``` +POST /api/v1/jml/joiner +{ + "employee_id": "EMP-1099", + "email": "new.starter@company.com", + "display_name": "New Starter", + "department": "Finance", + "office_location": "Building A", + "floor": "Floor 3", + "person_type": "EMPLOYEE", + "start_date": "2026-06-09", + "notified_by": "hr.admin@company.com" +} +``` + +API keys are issued per authorised caller (HR system, IT helpdesk tool, or manual use). All calls are logged with caller identity and timestamp. + +--- + +## 8. Escalation Matrix + +| Scenario | Primary Contact | Escalation | +|----------|----------------|------------| +| Extract not received by 07:00 | IT AD Administrator | IT Manager | +| Immediate leaver — badge not deactivated within 30 min | Facilities Manager | Security Operations / Head of Security | +| Leaver detected in extract but badge still active | Facilities Manager | Security Operations | +| Person inside building after badge deactivated | Security Operations | Incident Response | +| API notification fails (system error) | Integration contractor on-call | Client IT Manager | + +--- + +## 9. Audit & Compliance + +All JML events are logged with: +- Timestamp (UTC) +- Source (extract delta / manual API) +- Actor (who triggered the notification) +- Actions taken (badge deactivated, alert raised, etc.) +- Acknowledgement timestamp (for security alerts) + +Audit logs are retained for **2 years** and accessible to the client's security and compliance teams via a read-only report interface. + +--- + +## 10. Review Cadence + +| Activity | Frequency | +|----------|-----------| +| JML process review | Quarterly | +| Stale badge audit (badges with no entry events in 90 days) | Monthly | +| Contractor expiry review | Monthly | +| Extract delivery SLA performance review | Monthly | diff --git a/docs/security-integration/03-cost-breakdown.md b/docs/security-integration/03-cost-breakdown.md new file mode 100644 index 00000000..aadced98 --- /dev/null +++ b/docs/security-integration/03-cost-breakdown.md @@ -0,0 +1,199 @@ +# Project Cost Breakdown — Integrated Security Operations Platform + +**Document:** COST-BREAKDOWN-v1.0 +**Classification:** Commercial in Confidence +**Prepared for:** Client Presentation + +> All figures in GBP. Adjust currency and rates for your market. +> Ranges reflect low/high complexity scenarios — finalised after discovery workshop. + +--- + +## 1. Summary + +| Phase | One-Off Cost | Annual Recurring | +|-------|-------------|-----------------| +| Phase 1 — Identity Mapping & Foundations | £18,000 – £24,000 | — | +| Phase 2 — System Integration (ACT, Condecco, Booking) | £32,000 – £45,000 | — | +| Phase 3 — Occupancy Engine | £18,000 – £25,000 | — | +| Phase 4 — Dashboard & Evacuation Module | £22,000 – £30,000 | — | +| Phase 5 — Alerting, Audit & Hardening | £12,000 – £16,000 | — | +| **Total Build** | **£102,000 – £140,000** | — | +| Infrastructure (cloud hosting) | — | £8,400 – £14,400 | +| Support & Managed Service | — | £18,000 – £28,000 | +| Licence fees (third-party tools) | — | £4,800 – £9,600 | +| **Total Annual Operating Cost** | — | **£31,200 – £52,000** | +| **Year 1 Total (Build + Operate)** | **£133,200 – £192,000** | | +| **Year 2+ Annual Cost** | — | **£31,200 – £52,000** | + +--- + +## 2. Build Cost Detail + +### Phase 1 — Identity Mapping & Foundations (£18,000 – £24,000) + +| Work Item | Days | Rate/Day | Low | High | +|-----------|------|----------|-----|------| +| Discovery workshop & system inventory | 3 | £900 | £2,700 | £3,600 | +| ACT badge-to-AD mapping exercise | 3 | £900 | £2,700 | £3,600 | +| Identity registry database design | 3 | £900 | £2,700 | £3,600 | +| AD extract ingestion pipeline | 4 | £900 | £3,600 | £5,400 | +| Email as common key enforcement | 2 | £900 | £1,800 | £2,700 | +| JML workflow implementation | 5 | £900 | £4,500 | £5,100 | +| **Phase 1 Total** | **20–24 days** | | **£18,000** | **£24,000** | + +--- + +### Phase 2 — System Integrations (£32,000 – £45,000) + +| Integration | Complexity | Days | Low | High | +|-------------|-----------|------|-----|------| +| ACT (Vanderblitz) — event streaming | Medium-High | 8–12 | £7,200 | £10,800 | +| ACT — badge provisioning API | Medium | 5–7 | £4,500 | £6,300 | +| Condecco — visitor/contractor API | Medium | 6–8 | £5,400 | £7,200 | +| Booking system — reservation API | Medium | 5–8 | £4,500 | £7,200 | +| Integration middleware setup | Medium | 4–5 | £3,600 | £4,500 | +| API gateway & authentication | Low | 3–4 | £2,700 | £3,600 | +| End-to-end integration testing | Medium | 5–7 | £4,500 | £6,300 | +| **Phase 2 Total** | **36–51 days** | | **£32,400** | **£45,900** | + +> **Note:** ACT (Vanderblitz) integration complexity depends on API documentation availability and whether a supported SDK exists. If vendor cooperation is required, add £3,000–£6,000 for vendor engagement. + +--- + +### Phase 3 — Occupancy Engine (£18,000 – £25,000) + +| Work Item | Days | Low | High | +|-----------|------|-----|------| +| Entry/exit state machine design | 3 | £2,700 | £3,600 | +| Zone-level occupancy tracking | 5 | £4,500 | £5,400 | +| Anti-passback & tailgating handling | 4 | £3,600 | £4,500 | +| End-of-day auto-clear logic | 2 | £1,800 | £2,700 | +| Multi-source reconciliation (ACT + Condecco + Booking) | 5 | £4,500 | £5,400 | +| Unit & integration testing | 4 | £3,600 | £3,600 | +| **Phase 3 Total** | **23–28 days** | **£20,700** | **£25,200** | + +--- + +### Phase 4 — Dashboard & Evacuation Module (£22,000 – £30,000) + +| Work Item | Days | Low | High | +|-----------|------|-----|------| +| Dashboard UI (live occupancy by zone/floor) | 6 | £5,400 | £7,200 | +| Evacuation list generator (zone/department/person-type filters) | 5 | £4,500 | £5,400 | +| PDF/print export for evacuation | 2 | £1,800 | £2,700 | +| Tablet/mobile optimised evacuation view | 3 | £2,700 | £3,600 | +| Offline fallback (PWA with cached list) | 3 | £2,700 | £3,600 | +| Role-based access control (Warden / Security / Admin) | 3 | £2,700 | £3,600 | +| User acceptance testing | 4 | £3,600 | £3,600 | +| **Phase 4 Total** | **26–32 days** | **£23,400** | **£29,700** | + +--- + +### Phase 5 — Alerting, Audit & Hardening (£12,000 – £16,000) + +| Work Item | Days | Low | High | +|-----------|------|-----|------| +| Anomaly alert rules (leaver in building, after-hours access, etc.) | 3 | £2,700 | £3,600 | +| Email/Teams/SMS alert integration | 2 | £1,800 | £2,700 | +| Audit log implementation | 2 | £1,800 | £2,700 | +| Penetration testing (external) | 3 | £2,700 | £3,600 | +| Security hardening & remediation | 2 | £1,800 | £2,700 | +| Handover documentation & training | 2 | £1,800 | £1,800 | +| **Phase 5 Total** | **14–16 days** | **£12,600** | **£17,100** | + +--- + +## 3. Infrastructure — Annual Operating Cost + +### 3.1 Cloud Hosting (Azure / AWS) + +| Component | Spec | Monthly | Annual | +|-----------|------|---------|--------| +| Application server | 2 vCPU, 4GB RAM (Standard tier) | £80–£140 | £960–£1,680 | +| Database server | PostgreSQL managed, 50GB | £60–£100 | £720–£1,200 | +| Elasticsearch / search | Small cluster (3 nodes) | £150–£300 | £1,800–£3,600 | +| Storage (logs, extracts) | 500GB | £10–£20 | £120–£240 | +| Backup & DR | Daily snapshots, 30-day retention | £20–£40 | £240–£480 | +| Networking / egress | Estimated | £10–£20 | £120–£240 | +| **Total Infrastructure** | | **£330–£620/mo** | **£3,960–£7,440** | + +> High-availability (HA) configuration with failover doubles infrastructure cost. Recommended if evacuation system is safety-critical. + +| Configuration | Annual Cost | +|--------------|------------| +| Standard (single-region) | £3,960 – £7,440 | +| High Availability (multi-zone failover) | £7,920 – £14,400 | + +--- + +### 3.2 Third-Party Licences + +| Tool | Purpose | Annual Cost | +|------|---------|------------| +| Integration middleware (e.g. MuleSoft Starter / n8n Cloud) | System connectors | £1,200 – £3,600 | +| SIEM / log management (e.g. Elastic Cloud / Splunk free tier) | Audit log storage | £1,200 – £2,400 | +| Alerting (PagerDuty / Opsgenie) | Incident notifications | £600 – £1,800 | +| SSL certificates | TLS for all endpoints | Free (Let's Encrypt) – £300 | +| **Total Licences** | | **£3,000 – £8,100** | + +--- + +## 4. Support & Managed Service — Annual + +| Service | Description | Annual Cost | +|---------|-------------|------------| +| Platform monitoring | 24/7 uptime monitoring, alert response | £4,800 – £7,200 | +| Maintenance & patching | Monthly security updates, dependency upgrades | £3,600 – £4,800 | +| Extract ingestion support | Daily extract monitoring, failure resolution | £2,400 – £3,600 | +| JML notification support | On-call support for immediate leaver API | £3,600 – £6,000 | +| Minor enhancements | Up to 2 days/month enhancement work | £0 – £4,800 | +| Annual review & reporting | SLA performance, anomaly trend report | £1,200 – £2,400 | +| **Total Support** | | **£15,600 – £28,800** | + +--- + +## 5. Total Cost of Ownership (3-Year) + +| Year | Build | Infrastructure | Licences | Support | **Total** | +|------|-------|---------------|---------|---------|-----------| +| Year 1 | £102,000 – £140,000 | £3,960 – £14,400 | £3,000 – £8,100 | £15,600 – £28,800 | **£124,560 – £191,300** | +| Year 2 | — | £3,960 – £14,400 | £3,000 – £8,100 | £15,600 – £28,800 | **£22,560 – £51,300** | +| Year 3 | — | £3,960 – £14,400 | £3,000 – £8,100 | £15,600 – £28,800 | **£22,560 – £51,300** | +| **3-Year Total** | | | | | **£169,680 – £293,900** | + +--- + +## 6. Cost Reduction Options + +| Option | Saving | Trade-off | +|--------|--------|-----------| +| Use open-source middleware (n8n self-hosted) instead of MuleSoft | £1,200–£2,400/yr | Requires more in-house maintenance | +| Single-region hosting (no HA) | £4,000–£7,000/yr | No failover — risk to evacuation system | +| Client hosts infrastructure (Azure subscription) | £3,960–£14,400/yr | Client IT team takes on hosting responsibility | +| Phased delivery (Phases 1–3 only in Year 1) | £34,000–£55,000 deferred | Dashboard and alerting delivered Year 2 | +| Reuse existing Grafana/Power BI licence | £1,200–£2,400/yr | Dashboard in existing BI platform | + +--- + +## 7. Return on Investment Indicators + +| Benefit | Estimated Value | +|---------|----------------| +| Reduced evacuation muster time | Fire marshal time savings — ~£2,000–£5,000/yr | +| Leaver badge risk reduction | Avoids potential security incident — difficult to quantify, high consequence | +| Facilities space optimisation (from occupancy data) | 5–15% desk reduction if hot-desking enabled — potentially £50,000+/yr in real estate | +| Compliance with fire safety regulations | Avoids regulatory penalties | +| Reduced manual headcount reconciliation effort | 1–2 FTE hours/week saved — ~£5,000–£10,000/yr | + +--- + +## 8. Payment & Delivery Milestones + +| Milestone | Payment % | Trigger | +|-----------|-----------|---------| +| Contract signed | 20% | Project kickoff | +| Phase 1 & 2 complete | 25% | Identity registry live, all systems connected | +| Phase 3 complete | 20% | Occupancy engine live, UAT passed | +| Phase 4 complete | 20% | Dashboard and evacuation module live | +| Phase 5 complete / go-live | 15% | Full system in production, training delivered | diff --git a/docs/security-integration/04-client-slide-deck.md b/docs/security-integration/04-client-slide-deck.md new file mode 100644 index 00000000..78932524 --- /dev/null +++ b/docs/security-integration/04-client-slide-deck.md @@ -0,0 +1,486 @@ +# Slide Deck: Integrated Security Operations Platform +## "One Platform. Every Person. Every Moment." + +> **Presenter notes** are shown in `> blockquote` format after each slide. +> Deck is designed for a 20-minute client presentation with 10 minutes Q&A. +> Slides: 14 content slides + title + close. + +--- + +--- + +## SLIDE 1 — TITLE SLIDE + +``` +┌─────────────────────────────────────────────────────────┐ +│ │ +│ INTEGRATED SECURITY OPERATIONS PLATFORM │ +│ │ +│ One Platform. Every Person. Every Moment. │ +│ │ +│ ───────────────────────────────────────── │ +│ │ +│ Presented to: [CLIENT NAME] │ +│ Prepared by: [CONTRACTOR NAME] │ +│ Date: June 2026 │ +│ │ +└─────────────────────────────────────────────────────────┘ +``` + +> Open with: "Today I want to show you how we can connect the systems you already own into a single, reliable view of who is in your building — right now, at any moment." + +--- + +--- + +## SLIDE 2 — THE PROBLEM TODAY + +### Right Now, You Have Four Systems That Don't Talk to Each Other + +``` + ACT Door Condecco Booking Active + Control Visitors System Directory + ───────── ──────── ─────── ──────── + Who came in? Who visited? Who booked Who works + Who went out? Who's expected? a desk? here? + + │ │ │ │ + │ │ │ │ + ▼ ▼ ▼ ▼ + + SILOED SILOED SILOED SILOED +``` + +**The result:** +- ❌ No single answer to "Who is in the building right now?" +- ❌ Evacuation list is manual, slow, and unreliable +- ❌ Leavers' badges stay active because systems don't sync +- ❌ Facilities can't optimise space because occupancy is guesswork + +> Ask the room: "How long would it take today to produce a complete list of everyone in this building?" Let them answer. Then: "We can make that instant." + +--- + +--- + +## SLIDE 3 — THE COST OF NOT ACTING + +### Three Scenarios That Have Already Happened — Or Will + +--- + +**Scenario A — The Fire Drill** +> The fire alarm sounds. A warden stands at the muster point with a printed list from last Tuesday. It's missing three contractors who arrived this morning. The roll call takes 22 minutes. The regulator asks for a full evacuation report. + +--- + +**Scenario B — The Leaver** +> An employee is dismissed on a Friday afternoon. IT disables their email. Nobody tells Facilities. The ACT badge remains active all weekend. The employee returns Saturday morning. + +--- + +**Scenario C — The Ghost Occupant** +> The Booking system shows the building is at 40% capacity. Facilities reduce cleaning rosters and close the cafe early. In reality — 60% of people are present without bookings. Complaints spike. Costs are misjudged. + +--- + +> "Every one of these scenarios is preventable. They are not technology problems — they are integration problems. And that is exactly what we are here to solve." + +--- + +--- + +## SLIDE 4 — OUR SOLUTION + +### A Single Platform That Unifies Your Four Systems + +``` +┌─────────────────────────────────────────────────────────────┐ +│ │ +│ INTEGRATED SECURITY PLATFORM │ +│ │ +│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ +│ │ ACT │ │ Condecco │ │ Booking │ │ AD │ │ +│ │ Door │ │ Visitors │ │ System │ │ Identity │ │ +│ │ Control │ │ │ │ │ │ │ │ +│ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ +│ └─────────────┴─────────────┴──────────────┘ │ +│ │ │ +│ ┌─────────▼──────────┐ │ +│ │ Integration Layer │ │ +│ │ Identity Registry │ │ +│ └─────────┬──────────┘ │ +│ │ │ +│ ┌────────────────────┼────────────────────┐ │ +│ ┌────▼────┐ ┌────▼────┐ ┌────▼────┐ │ +│ │ LIVE │ │ EVAC │ │ ALERTS │ │ +│ │OCCUPANCY│ │ LIST │ │ & AUDIT │ │ +│ └─────────┘ └─────────┘ └─────────┘ │ +│ │ +└─────────────────────────────────────────────────────────────┘ +``` + +**One dashboard. Real-time. Role-based. Always accurate.** + +> "We are not replacing any of your existing systems. We are connecting them. Your investment in ACT, Condecco, and your booking platform is preserved and enhanced." + +--- + +--- + +## SLIDE 5 — USE CASE 1: LIVE BUILDING OCCUPANCY + +### Know Exactly Who Is in Your Building — Right Now + +``` +BUILDING A — LIVE OCCUPANCY 14:32:11 ● LIVE +═══════════════════════════════════════════════════════════════ + + Floor 1 ████████████████░░░░ 62% 41 people + Floor 2 ████████░░░░░░░░░░░░ 38% 25 people + Floor 3 ██████████████░░░░░░ 55% 36 people + Car Park ████████████░░░░░░░░ 48% 67 vehicles + + TOTAL IN BUILDING: 102 people + ├─ Employees: 84 + ├─ Visitors: 11 + └─ Contractors: 7 + + EXPECTED (bookings not yet arrived): 8 people + ANOMALIES: 1 ⚠ [View] +``` + +**What this enables:** +- Facilities: real-time space decisions (open/close areas, catering, cleaning) +- Security: instant headcount at any moment +- Management: genuine occupancy trend data for lease/space planning + +> "This view updates in real time as badge events happen. It works on desktop, tablet, and mobile. Your fire marshals can carry it in their pocket." + +--- + +--- + +## SLIDE 6 — USE CASE 2: EVACUATION LIST + +### From 22 Minutes to Under 60 Seconds + +**Before this platform:** +``` +Fire alarm → Warden grabs printed list (from last week) + → Manual roll call at muster point + → Phone calls to find missing people + → 15–30 minutes to confirm all clear + → Incomplete records for regulatory report +``` + +**After this platform:** +``` +Fire alarm → Warden opens tablet app + → Complete list generated instantly (as of seconds ago) + → Filtered by zone / floor / department + → PDF generated for regulator on demand + → Full audit trail preserved automatically +``` + +**Evacuation list includes:** +- Every employee, visitor, and contractor currently badged in +- Last known zone (floor/wing based on most recent access event) +- Host name for every visitor +- Flags for anomalies (revoked badge, disabled account) + +> "The evacuation list is not a report you run at 9am. It is a live view that is always accurate because it reflects actual badge events, not scheduled bookings." + +--- + +--- + +## SLIDE 7 — USE CASE 3: LEAVER DETECTION & ALERTS + +### No More Active Badges for People Who No Longer Work Here + +**How it works:** + +``` +Daily AD Extract ──► Integration Platform detects: + account_enabled changed to FALSE + │ + ▼ + Facilities notified automatically: + "John Smith account disabled — + please deactivate ACT badge EMP-1042" + │ + ▼ + If badge NOT deactivated within 2 hours: + ESCALATION ALERT to Security Operations +``` + +**For immediate leavers (dismissals):** +- IT sends a one-call API notification +- Platform immediately removes person from occupancy model +- If person is currently badged IN → Security alert raised within seconds + +> "This closes the most common physical security gap we see across organisations of your size. Typically 3–8% of active badges belong to people who have left the organisation." + +--- + +--- + +## SLIDE 8 — HOW WE HANDLE YOUR AD SITUATION + +### No Direct AD Access Required + +> *Addressing the contractor limitation proactively* + +**You may have heard: "But the contractor can't connect to our Active Directory."** + +**That is correct — and it is not a problem.** + +| Concern | Our Approach | +|---------|-------------| +| Can't read user accounts live | Daily encrypted extract delivered to us by your IT team | +| Can't detect leavers in real time | Manual API notification for same-day leavers (takes 2 minutes) | +| Can't validate access entitlements | Your IT team retains ownership — we provide the tooling | +| Data privacy of AD records | Extract contains minimum required fields only; encrypted in transit and at rest | + +**What your IT team does (once set up, automated):** +- Automated daily extract — runs overnight, no manual work +- One API call for immediate leavers — can be triggered from your helpdesk tool + +> "We designed this specifically for environments where external contractors cannot be given directory access — which is best practice. You get the benefits of integration without compromising your security posture." + +--- + +--- + +## SLIDE 9 — WHAT WE'RE CONNECTING + +### Your Existing Systems — No Replacement Required + +| System | What We Read | What Stays the Same | +|--------|-------------|---------------------| +| **ACT (Vanderblitz)** | Badge entry/exit events, badge status | ACT remains your access control system | +| **Condecco** | Visitor check-in/out, contractor records | Condecco remains your visitor management system | +| **Booking System** | Active reservations by zone and time | Booking system unchanged | +| **Active Directory** | Identity, department, account status (via extract) | Your IT team retains full AD ownership | + +**We add:** +- Integration layer (connects the four systems) +- Identity registry (the common person record) +- Occupancy engine (the state machine that tracks who is inside) +- Dashboard, evacuation module, and alerting + +> "Every pound you have spent on ACT, Condecco, and your booking system continues to deliver value. We are amplifying that investment, not replacing it." + +--- + +--- + +## SLIDE 10 — DELIVERY PLAN + +### Phased Delivery — Value at Every Stage + +``` +PHASE 1 (Weeks 1–4) PHASE 2 (Weeks 5–10) +Identity Mapping System Integrations +───────────────── ──────────────────── +✓ Badge → AD linkage ✓ ACT live event feed +✓ Identity registry ✓ Condecco connected +✓ AD extract pipeline ✓ Booking system connected +✓ JML workflow ✓ End-to-end testing + +PHASE 3 (Weeks 11–14) PHASE 4 (Weeks 15–18) +Occupancy Engine Dashboard & Evacuation +──────────────── ────────────────────── +✓ Entry/exit tracking ✓ Live occupancy dashboard +✓ Zone-level occupancy ✓ Evacuation list module +✓ Anti-passback handling ✓ Mobile/tablet optimised +✓ Multi-source reconciliation ✓ PDF export & audit trail + +PHASE 5 (Weeks 19–21) GO LIVE (Week 22) +Alerting & Hardening ───────────────── +✓ Anomaly alerts ✓ Full system in production +✓ Penetration test ✓ Staff training completed +✓ Audit logging ✓ Handover documentation +✓ Security hardening ✓ Support contract active +``` + +**Total: 22 weeks from contract signing to full production** + +> "We use a phased approach so you can see working software at each stage — not a 6-month black box. By the end of Phase 2, your four systems are connected. By Phase 4, your fire marshals have their new tool." + +--- + +--- + +## SLIDE 11 — INVESTMENT SUMMARY + +### Cost of Building vs. Cost of Not Building + +``` +BUILD INVESTMENT +──────────────── + Year 1 (build + operate): £133,000 – £192,000 + Year 2+ (operate only): £31,000 – £52,000 + 3-Year Total: £170,000 – £294,000 + +COMPARE TO COST OF NOT BUILDING +───────────────────────────────── + Security incident (ex-employee badge): £50,000 – £500,000+ + Regulatory fine (fire safety breach): £5,000 – £50,000 + Space inefficiency (wrong occupancy data): £50,000+/yr + Manual evacuation administration: £5,000 – £10,000/yr + +BREAKEVEN POINT: Typically Year 1–2 +``` + +**Payment milestones tied to delivery:** +- 20% on contract signing +- 60% across Phases 1–4 completion +- 20% on go-live and handover + +> "We are not asking you to fund a black-box project. Payment tracks delivery. If we don't deliver, you don't pay." + +--- + +--- + +## SLIDE 12 — WHAT SUCCESS LOOKS LIKE + +### Measurable Outcomes — 90 Days After Go-Live + +| Metric | Before | After | Target | +|--------|--------|-------|--------| +| Evacuation list generation time | 15–30 min | < 60 sec | ✓ | +| Active badges for leavers | Unknown (typically 3–8%) | 0% within 24h of departure | ✓ | +| Occupancy data accuracy | ~40% (manual/assumed) | >95% (badge-verified) | ✓ | +| Time to answer "who is in building?" | 20+ minutes | Instant | ✓ | +| JML processing time (planned leaver) | Days (manual) | Next morning (automated) | ✓ | +| JML processing time (immediate leaver) | Hours (ad hoc) | < 30 minutes (process) | ✓ | + +> "We will agree these KPIs with you before we start, and we will report against them 30, 60, and 90 days post go-live." + +--- + +--- + +## SLIDE 13 — WHY US + +### We Built This for Environments Like Yours + +**Our approach:** +- **No big-bang replacement** — we connect what you have +- **Contractor-safe design** — no AD access required from day one +- **Phased delivery** — working software every 4–5 weeks +- **Process + technology** — we write the JML procedures and extract specs, not just the code +- **Handed over, not held hostage** — full documentation and training; you own the system + +**Our experience:** +- Physical security integration projects: [X projects] +- ACT / Vanderblitz integrations: [X] +- Organisations without AD-contractor access: [X] + +> If you have references/case studies, add them here. If not: "We are happy to arrange a reference call with a previous client in a similar environment." + +--- + +--- + +## SLIDE 14 — RISKS & HOW WE MANAGE THEM + +### We Are Transparent About What Could Go Wrong + +| Risk | Likelihood | Our Mitigation | +|------|-----------|----------------| +| ACT API limited documentation | Medium | Vendor engagement budget included; fallback to log file parsing | +| AD extract delivery failures | Low | Automated monitoring; alert within 1 hour of missed extract | +| Immediate leaver notification delay | Medium | Process SLA agreed with HR/IT; badge expiry as safety net | +| Tailgating (unregistered persons) | High (inherent) | Clearly scoped out — platform tracks badged persons only | +| Scope creep | Medium | Fixed-price phases; change request process defined upfront | + +**What we need from you:** +- [ ] API documentation / sandbox access for ACT, Condecco, Booking +- [ ] IT team contact for AD extract setup (4 hours of their time) +- [ ] Facilities contact for ACT badge configuration +- [ ] Named Project Sponsor and decision-maker + +> "We believe the best partnerships start with honesty about risk. None of the risks above are showstoppers — they are managed." + +--- + +--- + +## SLIDE 15 — NEXT STEPS + +### How We Get Started + +``` + TODAY WEEK 1 WEEK 2 WEEK 4 + ───── ────── ────── ────── + Agree to Discovery Contract Phase 1 + proceed Workshop Signed Begins + │ │ │ │ + ▼ ▼ ▼ ▼ + Nominate Map all systems Agree KPIs Identity + project and APIs and SLAs registry + sponsor available live +``` + +**We ask for a decision within 2 weeks so we can:** +- Reserve the delivery team +- Schedule the discovery workshop +- Begin API documentation review + +--- + +**Questions?** + +Contact: [Contractor Name] +Email: [contact@contractor.com] +Phone: [+44 xxx xxxx xxxx] + +--- + +> Close with: "The building you manage has hundreds of people moving through it every day. Right now, you have four systems watching different pieces of that picture. We will join those pieces together — so that when the fire alarm goes, when a leaver needs to be locked out, when your CEO asks 'how full is the building today?' — you have one answer, instantly, that you can trust." + +--- + +--- + +## APPENDIX A — TECHNICAL ARCHITECTURE (Leave-Behind) + +``` +┌──────────────────────────────────────────────────────────────┐ +│ CONTRACTOR-MANAGED PLATFORM │ +│ │ +│ Data Sources Integration Layer Outputs │ +│ ──────────── ───────────────── ─────── │ +│ ACT (badge events) ──► │ +│ Condecco (visitors)──► API Gateway ► Dashboard │ +│ Booking (reserv.) ───► Identity Registry ► Evacuation List │ +│ AD Extract (daily)───► Occupancy Engine ► Alerts │ +│ JML Processor ► Audit Log │ +│ │ +│ CLIENT OBLIGATIONS │ +│ ────────────────── │ +│ Daily AD extract (automated, 06:00) │ +│ Manual leaver notification (immediate leavers, <30 min) │ +│ Badge type governance in ACT │ +│ │ +└──────────────────────────────────────────────────────────────┘ +``` + +--- + +## APPENDIX B — GLOSSARY + +| Term | Definition | +|------|-----------| +| **ACT** | Access Control Technology — the door/badge access system managed by Vanderblitz | +| **Condecco** | Visitor and contractor management platform | +| **AD** | Active Directory — Microsoft's identity and authentication directory | +| **JML** | Joiner / Mover / Leaver — the lifecycle of an employee or contractor identity | +| **Identity Registry** | The contractor-maintained database that links badge IDs, email addresses, and AD records into a single person record | +| **Occupancy Engine** | The software component that tracks who is inside the building in real time based on badge entry and exit events | +| **Anti-passback** | A physical access control rule that prevents a badge from being used to enter the same zone twice without an intervening exit | +| **PSIM** | Physical Security Information Management — the category of software that integrates multiple security systems into a single view | From 72beb168ccf1511853a23e3e2053240edc1c6003 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 3 Jun 2026 06:52:15 +0000 Subject: [PATCH 2/2] Revise cost breakdown and slide deck with honest positioning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reduces build estimate to £12k-£22k reflecting actual integration scope. Reframes pitch around the genuine 20% gap (visitors, contractors, leaver badges) rather than overclaiming against existing ACT/warden capability. https://claude.ai/code/session_01VQ2Vk1qd2nMMQKD4MM5KQs --- .../security-integration/03-cost-breakdown.md | 252 +++---- .../04-client-slide-deck.md | 637 +++++++++--------- 2 files changed, 434 insertions(+), 455 deletions(-) diff --git a/docs/security-integration/03-cost-breakdown.md b/docs/security-integration/03-cost-breakdown.md index aadced98..c5c71d00 100644 --- a/docs/security-integration/03-cost-breakdown.md +++ b/docs/security-integration/03-cost-breakdown.md @@ -1,199 +1,147 @@ # Project Cost Breakdown — Integrated Security Operations Platform -**Document:** COST-BREAKDOWN-v1.0 -**Classification:** Commercial in Confidence -**Prepared for:** Client Presentation +**Document:** COST-BREAKDOWN-v2.0 (Revised — Honest Estimates) +**Classification:** Commercial in Confidence +**Prepared for:** Client Presentation -> All figures in GBP. Adjust currency and rates for your market. -> Ranges reflect low/high complexity scenarios — finalised after discovery workshop. +> This is an **integration project**, not a platform build. All four source systems +> (ACT, Condecco, Booking, Active Directory) already exist and already hold the data. +> The work is connecting them, not building them. Costs reflect that reality. --- -## 1. Summary - -| Phase | One-Off Cost | Annual Recurring | -|-------|-------------|-----------------| -| Phase 1 — Identity Mapping & Foundations | £18,000 – £24,000 | — | -| Phase 2 — System Integration (ACT, Condecco, Booking) | £32,000 – £45,000 | — | -| Phase 3 — Occupancy Engine | £18,000 – £25,000 | — | -| Phase 4 — Dashboard & Evacuation Module | £22,000 – £30,000 | — | -| Phase 5 — Alerting, Audit & Hardening | £12,000 – £16,000 | — | -| **Total Build** | **£102,000 – £140,000** | — | -| Infrastructure (cloud hosting) | — | £8,400 – £14,400 | -| Support & Managed Service | — | £18,000 – £28,000 | -| Licence fees (third-party tools) | — | £4,800 – £9,600 | -| **Total Annual Operating Cost** | — | **£31,200 – £52,000** | -| **Year 1 Total (Build + Operate)** | **£133,200 – £192,000** | | -| **Year 2+ Annual Cost** | — | **£31,200 – £52,000** | +## 1. What We Are Actually Building ---- - -## 2. Build Cost Detail +``` +EXISTING (client already owns) WE ADD (integration only) +────────────────────────────── ───────────────────────── +ACT door control ──────────► Thin integration service +Condecco visitor system ──────────► (reads APIs, no new UI needed +Booking system ──────────► in source systems) +AD daily extract ──────────► -### Phase 1 — Identity Mapping & Foundations (£18,000 – £24,000) + Identity registry (small DB) + Occupancy state (simple logic) + Single dashboard (Power BI / + Grafana or lightweight web app) + Evacuation tablet view + Leaver alert workflow +``` -| Work Item | Days | Rate/Day | Low | High | -|-----------|------|----------|-----|------| -| Discovery workshop & system inventory | 3 | £900 | £2,700 | £3,600 | -| ACT badge-to-AD mapping exercise | 3 | £900 | £2,700 | £3,600 | -| Identity registry database design | 3 | £900 | £2,700 | £3,600 | -| AD extract ingestion pipeline | 4 | £900 | £3,600 | £5,400 | -| Email as common key enforcement | 2 | £900 | £1,800 | £2,700 | -| JML workflow implementation | 5 | £900 | £4,500 | £5,100 | -| **Phase 1 Total** | **20–24 days** | | **£18,000** | **£24,000** | +This is **not** an enterprise platform. It is a focused integration service with a dashboard on top. A single skilled developer can deliver it. --- -### Phase 2 — System Integrations (£32,000 – £45,000) +## 2. Honest Build Cost -| Integration | Complexity | Days | Low | High | -|-------------|-----------|------|-----|------| -| ACT (Vanderblitz) — event streaming | Medium-High | 8–12 | £7,200 | £10,800 | -| ACT — badge provisioning API | Medium | 5–7 | £4,500 | £6,300 | -| Condecco — visitor/contractor API | Medium | 6–8 | £5,400 | £7,200 | -| Booking system — reservation API | Medium | 5–8 | £4,500 | £7,200 | -| Integration middleware setup | Medium | 4–5 | £3,600 | £4,500 | -| API gateway & authentication | Low | 3–4 | £2,700 | £3,600 | -| End-to-end integration testing | Medium | 5–7 | £4,500 | £6,300 | -| **Phase 2 Total** | **36–51 days** | | **£32,400** | **£45,900** | - -> **Note:** ACT (Vanderblitz) integration complexity depends on API documentation availability and whether a supported SDK exists. If vendor cooperation is required, add £3,000–£6,000 for vendor engagement. +### Assumptions +- 1 developer, using modern tooling (AI-assisted development, existing open-source libraries) +- APIs for ACT, Condecco, and Booking are documented and accessible +- Client IT team delivers the AD extract (their effort, not billable to this project) +- Dashboard uses Power BI (if client has M365 licence — likely free) or Grafana (open source) +- Hosting on Azure or AWS — client may already have a subscription --- -### Phase 3 — Occupancy Engine (£18,000 – £25,000) +### Phase Breakdown -| Work Item | Days | Low | High | -|-----------|------|-----|------| -| Entry/exit state machine design | 3 | £2,700 | £3,600 | -| Zone-level occupancy tracking | 5 | £4,500 | £5,400 | -| Anti-passback & tailgating handling | 4 | £3,600 | £4,500 | -| End-of-day auto-clear logic | 2 | £1,800 | £2,700 | -| Multi-source reconciliation (ACT + Condecco + Booking) | 5 | £4,500 | £5,400 | -| Unit & integration testing | 4 | £3,600 | £3,600 | -| **Phase 3 Total** | **23–28 days** | **£20,700** | **£25,200** | +| Phase | What Gets Built | Days | Cost (£700/day) | +|-------|----------------|------|-----------------| +| **1. Discovery & Identity Mapping** | API access confirmed, badge→email linkage, identity registry DB schema | 3 | £2,100 | +| **2. Integrations** | ACT event feed, Condecco API, Booking API, AD extract ingestion | 6 | £4,200 | +| **3. Occupancy Logic** | Entry/exit state, zone tracking, end-of-day clear | 3 | £2,100 | +| **4. Dashboard & Evacuation View** | Live occupancy (Power BI / Grafana), evacuation tablet view, PDF export | 4 | £2,800 | +| **5. Leaver Alerts & Testing** | Anomaly alerts, JML notifications, end-to-end testing, UAT | 4 | £2,800 | +| **Contingency (20%)** | API surprises, client-side delays, extra testing | 4 | £2,800 | +| **Total** | | **24 days** | **£16,800** | ---- - -### Phase 4 — Dashboard & Evacuation Module (£22,000 – £30,000) - -| Work Item | Days | Low | High | -|-----------|------|-----|------| -| Dashboard UI (live occupancy by zone/floor) | 6 | £5,400 | £7,200 | -| Evacuation list generator (zone/department/person-type filters) | 5 | £4,500 | £5,400 | -| PDF/print export for evacuation | 2 | £1,800 | £2,700 | -| Tablet/mobile optimised evacuation view | 3 | £2,700 | £3,600 | -| Offline fallback (PWA with cached list) | 3 | £2,700 | £3,600 | -| Role-based access control (Warden / Security / Admin) | 3 | £2,700 | £3,600 | -| User acceptance testing | 4 | £3,600 | £3,600 | -| **Phase 4 Total** | **26–32 days** | **£23,400** | **£29,700** | +> **Day rate note:** £700/day reflects an independent developer or small agency. +> A large consultancy would charge £1,200–£1,800/day for the same work — that is +> where inflated quotes come from. The work is the same. --- -### Phase 5 — Alerting, Audit & Hardening (£12,000 – £16,000) - -| Work Item | Days | Low | High | -|-----------|------|-----|------| -| Anomaly alert rules (leaver in building, after-hours access, etc.) | 3 | £2,700 | £3,600 | -| Email/Teams/SMS alert integration | 2 | £1,800 | £2,700 | -| Audit log implementation | 2 | £1,800 | £2,700 | -| Penetration testing (external) | 3 | £2,700 | £3,600 | -| Security hardening & remediation | 2 | £1,800 | £2,700 | -| Handover documentation & training | 2 | £1,800 | £1,800 | -| **Phase 5 Total** | **14–16 days** | **£12,600** | **£17,100** | +### What Affects Cost Up or Down ---- +| Factor | Reduces Cost | Increases Cost | +|--------|-------------|----------------| +| ACT API quality | Well-documented REST API | No API — requires log file parsing or vendor engagement | +| Condecco API availability | Standard REST/webhooks | Custom export only | +| Client has M365 / Power BI | Dashboard near-free | Need to build custom UI (+3–5 days) | +| Client hosts infrastructure | Saves ongoing cost | N/A | +| AD extract already automated | -1 day | Manual extract requires scripting support | -## 3. Infrastructure — Annual Operating Cost +**Realistic range: £12,000 – £22,000 build cost.** -### 3.1 Cloud Hosting (Azure / AWS) +--- -| Component | Spec | Monthly | Annual | -|-----------|------|---------|--------| -| Application server | 2 vCPU, 4GB RAM (Standard tier) | £80–£140 | £960–£1,680 | -| Database server | PostgreSQL managed, 50GB | £60–£100 | £720–£1,200 | -| Elasticsearch / search | Small cluster (3 nodes) | £150–£300 | £1,800–£3,600 | -| Storage (logs, extracts) | 500GB | £10–£20 | £120–£240 | -| Backup & DR | Daily snapshots, 30-day retention | £20–£40 | £240–£480 | -| Networking / egress | Estimated | £10–£20 | £120–£240 | -| **Total Infrastructure** | | **£330–£620/mo** | **£3,960–£7,440** | +## 3. Infrastructure — Annual Running Cost -> High-availability (HA) configuration with failover doubles infrastructure cost. Recommended if evacuation system is safety-critical. +> The client likely already has cloud infrastructure. If so, these costs may be near zero. -| Configuration | Annual Cost | -|--------------|------------| -| Standard (single-region) | £3,960 – £7,440 | -| High Availability (multi-zone failover) | £7,920 – £14,400 | +| Component | Option A: Client's existing Azure/AWS | Option B: Contractor-hosted | +|-----------|--------------------------------------|----------------------------| +| App hosting | £0 (existing subscription) | £50–£80/month | +| Database (PostgreSQL) | £0 or minimal | £30–£60/month | +| Dashboard (Power BI) | £0 (M365 licence) | £20–£50/month (Grafana Cloud) | +| Storage & backups | £0 or minimal | £10–£20/month | +| **Annual total** | **£0 – £500** | **£1,320 – £2,520** | --- -### 3.2 Third-Party Licences +## 4. Ongoing Support -| Tool | Purpose | Annual Cost | -|------|---------|------------| -| Integration middleware (e.g. MuleSoft Starter / n8n Cloud) | System connectors | £1,200 – £3,600 | -| SIEM / log management (e.g. Elastic Cloud / Splunk free tier) | Audit log storage | £1,200 – £2,400 | -| Alerting (PagerDuty / Opsgenie) | Incident notifications | £600 – £1,800 | -| SSL certificates | TLS for all endpoints | Free (Let's Encrypt) – £300 | -| **Total Licences** | | **£3,000 – £8,100** | - ---- +This is a simple integration — not a complex platform requiring a managed service team. -## 4. Support & Managed Service — Annual +| Support Type | What It Covers | Annual Cost | +|-------------|----------------|------------| +| Break-fix maintenance | Fix issues if an API changes or extract fails | £1,500 – £3,000 | +| Minor enhancements | 1–2 small improvements per year | £700 – £2,100 | +| Annual health check | Review, update dependencies, test evacuation export | £700 | +| **Total annual support** | | **£2,900 – £5,800** | -| Service | Description | Annual Cost | -|---------|-------------|------------| -| Platform monitoring | 24/7 uptime monitoring, alert response | £4,800 – £7,200 | -| Maintenance & patching | Monthly security updates, dependency upgrades | £3,600 – £4,800 | -| Extract ingestion support | Daily extract monitoring, failure resolution | £2,400 – £3,600 | -| JML notification support | On-call support for immediate leaver API | £3,600 – £6,000 | -| Minor enhancements | Up to 2 days/month enhancement work | £0 – £4,800 | -| Annual review & reporting | SLA performance, anomaly trend report | £1,200 – £2,400 | -| **Total Support** | | **£15,600 – £28,800** | +> After handover with full documentation, a client with an internal IT team can +> self-support. External support is optional, not mandatory. --- ## 5. Total Cost of Ownership (3-Year) -| Year | Build | Infrastructure | Licences | Support | **Total** | -|------|-------|---------------|---------|---------|-----------| -| Year 1 | £102,000 – £140,000 | £3,960 – £14,400 | £3,000 – £8,100 | £15,600 – £28,800 | **£124,560 – £191,300** | -| Year 2 | — | £3,960 – £14,400 | £3,000 – £8,100 | £15,600 – £28,800 | **£22,560 – £51,300** | -| Year 3 | — | £3,960 – £14,400 | £3,000 – £8,100 | £15,600 – £28,800 | **£22,560 – £51,300** | -| **3-Year Total** | | | | | **£169,680 – £293,900** | +| | Low Estimate | High Estimate | +|--|-------------|--------------| +| **Build (one-off)** | £12,000 | £22,000 | +| **Year 1 infrastructure** | £0 | £2,520 | +| **Year 1 support** | £2,900 | £5,800 | +| **Year 1 Total** | **£14,900** | **£30,320** | +| Year 2 (operate only) | £2,900 | £8,320 | +| Year 3 (operate only) | £2,900 | £8,320 | +| **3-Year Total** | **£20,700** | **£46,960** | --- -## 6. Cost Reduction Options - -| Option | Saving | Trade-off | -|--------|--------|-----------| -| Use open-source middleware (n8n self-hosted) instead of MuleSoft | £1,200–£2,400/yr | Requires more in-house maintenance | -| Single-region hosting (no HA) | £4,000–£7,000/yr | No failover — risk to evacuation system | -| Client hosts infrastructure (Azure subscription) | £3,960–£14,400/yr | Client IT team takes on hosting responsibility | -| Phased delivery (Phases 1–3 only in Year 1) | £34,000–£55,000 deferred | Dashboard and alerting delivered Year 2 | -| Reuse existing Grafana/Power BI licence | £1,200–£2,400/yr | Dashboard in existing BI platform | - ---- +## 6. Comparison: What You Are Paying For vs. What You Already Have -## 7. Return on Investment Indicators +| Capability | Today (Free — Already Exists) | After Integration | +|-----------|------------------------------|-------------------| +| Employee evacuation list | ✓ ACT can export this | ✓ Same, plus automated | +| Visitor on evacuation list | ✗ Manual Condecco check | ✓ Automatic | +| Contractor on evacuation list | ✗ Separate sign-in sheet | ✓ Automatic | +| Leaver badge detection | ✗ Manual / ad hoc | ✓ Automated, same day | +| Live occupancy view | ✗ Not available | ✓ Real-time dashboard | +| Audit trail for regulators | ✗ Three separate exports | ✓ Single timestamped log | -| Benefit | Estimated Value | -|---------|----------------| -| Reduced evacuation muster time | Fire marshal time savings — ~£2,000–£5,000/yr | -| Leaver badge risk reduction | Avoids potential security incident — difficult to quantify, high consequence | -| Facilities space optimisation (from occupancy data) | 5–15% desk reduction if hot-desking enabled — potentially £50,000+/yr in real estate | -| Compliance with fire safety regulations | Avoids regulatory penalties | -| Reduced manual headcount reconciliation effort | 1–2 FTE hours/week saved — ~£5,000–£10,000/yr | +**The honest value add is narrow but meaningful:** +you are paying £12,000–£22,000 to close the visitor/contractor gap, +automate the leaver risk, and have one screen instead of three phone calls. --- -## 8. Payment & Delivery Milestones +## 7. Payment Milestones -| Milestone | Payment % | Trigger | -|-----------|-----------|---------| -| Contract signed | 20% | Project kickoff | -| Phase 1 & 2 complete | 25% | Identity registry live, all systems connected | -| Phase 3 complete | 20% | Occupancy engine live, UAT passed | -| Phase 4 complete | 20% | Dashboard and evacuation module live | -| Phase 5 complete / go-live | 15% | Full system in production, training delivered | +| Milestone | % | Amount (mid estimate) | +|-----------|---|----------------------| +| Contract signed | 25% | £4,250 | +| Systems connected (Phase 2 complete) | 35% | £5,950 | +| Go-live (dashboard + evacuation live) | 30% | £5,100 | +| 30-day post go-live sign-off | 10% | £1,700 | +| **Total** | | **£17,000** | diff --git a/docs/security-integration/04-client-slide-deck.md b/docs/security-integration/04-client-slide-deck.md index 78932524..717d9c75 100644 --- a/docs/security-integration/04-client-slide-deck.md +++ b/docs/security-integration/04-client-slide-deck.md @@ -1,9 +1,11 @@ # Slide Deck: Integrated Security Operations Platform -## "One Platform. Every Person. Every Moment." +## "Your Systems Are 80% There. We Close the 20% That Matters." -> **Presenter notes** are shown in `> blockquote` format after each slide. -> Deck is designed for a 20-minute client presentation with 10 minutes Q&A. -> Slides: 14 content slides + title + close. +**Version 2.0 — Honest Positioning** + +> **Presenter notes** shown in `> blockquote` format after each slide. +> Designed for a 20-minute client presentation + 10 minutes Q&A. +> 13 content slides + title + close. --- @@ -16,7 +18,8 @@ │ │ │ INTEGRATED SECURITY OPERATIONS PLATFORM │ │ │ -│ One Platform. Every Person. Every Moment. │ +│ Your systems are 80% there. │ +│ We close the 20% that matters. │ │ │ │ ───────────────────────────────────────── │ │ │ @@ -27,460 +30,488 @@ └─────────────────────────────────────────────────────────┘ ``` -> Open with: "Today I want to show you how we can connect the systems you already own into a single, reliable view of who is in your building — right now, at any moment." +> "I want to start by saying something you don't usually hear in a pitch: +> your current setup is actually pretty good. ACT gives you an evacuation +> list. Your floor wardens know their people. IT can pull an AD export. +> Today I am going to show you the specific gaps that still exist — and +> explain why closing them is worth a modest investment." --- --- -## SLIDE 2 — THE PROBLEM TODAY - -### Right Now, You Have Four Systems That Don't Talk to Each Other +## SLIDE 2 — WHAT YOU ALREADY HAVE (AND IT IS GOOD) -``` - ACT Door Condecco Booking Active - Control Visitors System Directory - ───────── ──────── ─────── ──────── - Who came in? Who visited? Who booked Who works - Who went out? Who's expected? a desk? here? +### Your Current Process Works for Most Scenarios - │ │ │ │ - │ │ │ │ - ▼ ▼ ▼ ▼ +| What You Have | What It Does Well | +|--------------|-------------------| +| **ACT (Vanderblitz)** | Produces an evacuation list of badged-in employees instantly | +| **Floor Wardens** | Know their regular team members by name and face | +| **Condecco** | Logs every visitor who signed in at reception | +| **IT / AD** | Can pull a full list of active employees on request | - SILOED SILOED SILOED SILOED -``` +**For a routine fire drill on a normal Wednesday: this works.** -**The result:** -- ❌ No single answer to "Who is in the building right now?" -- ❌ Evacuation list is manual, slow, and unreliable -- ❌ Leavers' badges stay active because systems don't sync -- ❌ Facilities can't optimise space because occupancy is guesswork +A warden pulls the ACT list, knows their floor, confirms their team. +The drill runs. The register is signed. Done. -> Ask the room: "How long would it take today to produce a complete list of everyone in this building?" Let them answer. Then: "We can make that instant." +> "We are not here to tell you your current process is broken. It isn't — +> for the 80% case. What we want to talk about is the other 20%." --- --- -## SLIDE 3 — THE COST OF NOT ACTING +## SLIDE 3 — THE 20% THAT STILL FAILS -### Three Scenarios That Have Already Happened — Or Will +### Three Specific Scenarios Where the Current Process Has a Gap --- -**Scenario A — The Fire Drill** -> The fire alarm sounds. A warden stands at the muster point with a printed list from last Tuesday. It's missing three contractors who arrived this morning. The roll call takes 22 minutes. The regulator asks for a full evacuation report. +**Gap 1 — The Visitor Who Isn't on the ACT List** ---- - -**Scenario B — The Leaver** -> An employee is dismissed on a Friday afternoon. IT disables their email. Nobody tells Facilities. The ACT badge remains active all weekend. The employee returns Saturday morning. +> *It's 2pm on a Tuesday. A client group of four arrived at 1pm and signed into +> Condecco. They are on Floor 3 with your Sales team. The fire alarm sounds.* ---- +- ACT evacuation list: does not include them (no ACT badge — visitor pass only) +- Floor warden: may not know they are there if the Sales host didn't mention it +- Condecco: has the record — but it's on a desktop at reception, two floors away -**Scenario C — The Ghost Occupant** -> The Booking system shows the building is at 40% capacity. Facilities reduce cleaning rosters and close the cafe early. In reality — 60% of people are present without bookings. Complaints spike. Costs are misjudged. +**Result: four unaccounted persons at the muster point.** --- -> "Every one of these scenarios is preventable. They are not technology problems — they are integration problems. And that is exactly what we are here to solve." +**Gap 2 — The Contractor Who Falls Between Systems** ---- +> *A facilities contractor has been on site for three weeks on a temporary ACT badge. +> They finish their contract today and hand back the badge. Or they don't.* + +- ACT: badge may still be active (nobody told Facilities it expired) +- Condecco: contractor may not be registered (Condecco is for visitors, not contractors) +- Floor warden: may not know this person's name or whether they left --- -## SLIDE 4 — OUR SOLUTION +**Gap 3 — The Leaver Whose Badge Was Never Deactivated** -### A Single Platform That Unifies Your Four Systems +> *An employee resigned two weeks ago. IT disabled their email and AD account. +> Nobody told Facilities. The ACT badge is still active.* -``` -┌─────────────────────────────────────────────────────────────┐ -│ │ -│ INTEGRATED SECURITY PLATFORM │ -│ │ -│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ -│ │ ACT │ │ Condecco │ │ Booking │ │ AD │ │ -│ │ Door │ │ Visitors │ │ System │ │ Identity │ │ -│ │ Control │ │ │ │ │ │ │ │ -│ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ -│ └─────────────┴─────────────┴──────────────┘ │ -│ │ │ -│ ┌─────────▼──────────┐ │ -│ │ Integration Layer │ │ -│ │ Identity Registry │ │ -│ └─────────┬──────────┘ │ -│ │ │ -│ ┌────────────────────┼────────────────────┐ │ -│ ┌────▼────┐ ┌────▼────┐ ┌────▼────┐ │ -│ │ LIVE │ │ EVAC │ │ ALERTS │ │ -│ │OCCUPANCY│ │ LIST │ │ & AUDIT │ │ -│ └─────────┘ └─────────┘ └─────────┘ │ -│ │ -└─────────────────────────────────────────────────────────────┘ -``` +- Floor warden: sees a familiar face, assumes they still work there +- ACT list: still shows them as an employee +- No system flags this as unusual -**One dashboard. Real-time. Role-based. Always accurate.** - -> "We are not replacing any of your existing systems. We are connecting them. Your investment in ACT, Condecco, and your booking platform is preserved and enhanced." +> "None of these are edge cases. In a building of your size, Gap 1 happens +> every day. Gap 3 is almost certainly present right now — the average +> organisation has 3–5% of active badges assigned to people who have left." --- --- -## SLIDE 5 — USE CASE 1: LIVE BUILDING OCCUPANCY +## SLIDE 4 — WHAT WE ARE NOT PROPOSING -### Know Exactly Who Is in Your Building — Right Now +### Let's Be Clear About Scope -``` -BUILDING A — LIVE OCCUPANCY 14:32:11 ● LIVE -═══════════════════════════════════════════════════════════════ +**We are NOT proposing:** +- ❌ Replacing ACT, Condecco, or your Booking system +- ❌ A large enterprise platform with years of implementation +- ❌ A system that changes how your floor wardens work +- ❌ A £100,000+ project - Floor 1 ████████████████░░░░ 62% 41 people - Floor 2 ████████░░░░░░░░░░░░ 38% 25 people - Floor 3 ██████████████░░░░░░ 55% 36 people - Car Park ████████████░░░░░░░░ 48% 67 vehicles +**We ARE proposing:** +- ✓ A thin integration layer that connects what you already own +- ✓ One screen that combines ACT + Condecco + Booking into a single view +- ✓ An automated alert when a badge is active but the AD account is disabled +- ✓ A tablet app for wardens — same job, complete data, no phone calls +- ✓ Delivered in 8 weeks by a small team at a realistic cost - TOTAL IN BUILDING: 102 people - ├─ Employees: 84 - ├─ Visitors: 11 - └─ Contractors: 7 - - EXPECTED (bookings not yet arrived): 8 people - ANOMALIES: 1 ⚠ [View] -``` - -**What this enables:** -- Facilities: real-time space decisions (open/close areas, catering, cleaning) -- Security: instant headcount at any moment -- Management: genuine occupancy trend data for lease/space planning - -> "This view updates in real time as badge events happen. It works on desktop, tablet, and mobile. Your fire marshals can carry it in their pocket." +> "This is a focused piece of work. We are not selling you a platform. +> We are selling you the joins between platforms you already paid for." --- --- -## SLIDE 6 — USE CASE 2: EVACUATION LIST +## SLIDE 5 — THE SPECIFIC VALUE ADD -### From 22 Minutes to Under 60 Seconds +### What Changes — and What Stays the Same -**Before this platform:** -``` -Fire alarm → Warden grabs printed list (from last week) - → Manual roll call at muster point - → Phone calls to find missing people - → 15–30 minutes to confirm all clear - → Incomplete records for regulatory report ``` +TODAY AFTER INTEGRATION +───── ───────────────── -**After this platform:** -``` -Fire alarm → Warden opens tablet app - → Complete list generated instantly (as of seconds ago) - → Filtered by zone / floor / department - → PDF generated for regulator on demand - → Full audit trail preserved automatically +Warden pulls ACT list → Same list, plus visitors + (employees only) and contractors included + +Warden phones reception → Visitor list already on + to check visitor log the tablet + +Warden checks sign-in sheet → Contractors in Condecco + for contractors automatically included + +IT notified manually of → AD extract flags leaver + leavers (sometimes) badge automatically + +Three separate exports for → Single timestamped log, + regulatory report exportable on demand ``` -**Evacuation list includes:** -- Every employee, visitor, and contractor currently badged in -- Last known zone (floor/wing based on most recent access event) -- Host name for every visitor -- Flags for anomalies (revoked badge, disabled account) +**Your wardens do the same job. They just have complete information.** -> "The evacuation list is not a report you run at 9am. It is a live view that is always accurate because it reflects actual badge events, not scheduled bookings." +> "The warden's role does not change. The process does not change. +> The difference is that when they stand at the muster point, they +> are not missing four visitors and wondering about the contractor +> who may or may not have left last Tuesday." --- --- -## SLIDE 7 — USE CASE 3: LEAVER DETECTION & ALERTS - -### No More Active Badges for People Who No Longer Work Here +## SLIDE 6 — HOW IT WORKS (SIMPLE VERSION) -**How it works:** +### We Read From Your Systems. We Add Nothing to Them. ``` -Daily AD Extract ──► Integration Platform detects: - account_enabled changed to FALSE - │ - ▼ - Facilities notified automatically: - "John Smith account disabled — - please deactivate ACT badge EMP-1042" - │ - ▼ - If badge NOT deactivated within 2 hours: - ESCALATION ALERT to Security Operations + ACT sends badge Condecco logs AD extract + events in real time visitor check-in/out arrives each morning + │ │ │ + └──────────────────────┴──────────────────────┘ + │ + ┌───────────▼───────────┐ + │ Integration Layer │ + │ (runs in the │ + │ background, │ + │ always on) │ + └───────────┬───────────┘ + │ + ┌────────────────┼────────────────┐ + │ │ │ + ┌──────▼──────┐ ┌──────▼──────┐ ┌─────▼──────┐ + │ Live │ │ Evacuation │ │ Leaver │ + │ Occupancy │ │ List │ │ Alerts │ + │ Dashboard │ │ (tablet) │ │ │ + └─────────────┘ └─────────────┘ └────────────┘ ``` -**For immediate leavers (dismissals):** -- IT sends a one-call API notification -- Platform immediately removes person from occupancy model -- If person is currently badged IN → Security alert raised within seconds - -> "This closes the most common physical security gap we see across organisations of your size. Typically 3–8% of active badges belong to people who have left the organisation." +- ACT, Condecco, and your Booking system are **unchanged** +- The integration layer runs quietly in the background +- Wardens see one app on a tablet — that is the only new thing they touch --- --- -## SLIDE 8 — HOW WE HANDLE YOUR AD SITUATION +## SLIDE 7 — THE EVACUATION LIST IN PRACTICE + +### What a Warden Sees on Their Tablet + +``` +EVACUATION LIST — FLOOR 3 ⏱ Generated: 14:32:09 ● LIVE +═══════════════════════════════════════════════════════════════════ -### No Direct AD Access Required + EMPLOYEES (18) + ✓ Alice Brown Engineering Entry 08:51 + ✓ James Okafor Sales Entry 09:14 + ... (16 more) -> *Addressing the contractor limitation proactively* + VISITORS (4) ◄── these were missing before + ✓ Sarah Chen Host: J.Okafor Entry 13:02 + ✓ Marcus Webb Host: J.Okafor Entry 13:02 + ✓ Priya Nair Host: J.Okafor Entry 13:02 + ✓ Tom Hasegawa Host: J.Okafor Entry 13:02 -**You may have heard: "But the contractor can't connect to our Active Directory."** + CONTRACTORS (1) ◄── this was missing before + ✓ R. Santos Facilities Entry 07:30 -**That is correct — and it is not a problem.** + ───────────────────────────────────────────────────── + TOTAL ON FLOOR: 23 ACCOUNTED FOR: [ ] 23/23 -| Concern | Our Approach | -|---------|-------------| -| Can't read user accounts live | Daily encrypted extract delivered to us by your IT team | -| Can't detect leavers in real time | Manual API notification for same-day leavers (takes 2 minutes) | -| Can't validate access entitlements | Your IT team retains ownership — we provide the tooling | -| Data privacy of AD records | Extract contains minimum required fields only; encrypted in transit and at rest | + ⚠ 1 ANOMALY: D. Miller — badge active, AD account + disabled 2 days ago. Check with Security. -**What your IT team does (once set up, automated):** -- Automated daily extract — runs overnight, no manual work -- One API call for immediate leavers — can be triggered from your helpdesk tool + [ PDF EXPORT FOR FIRE REPORT ] +``` -> "We designed this specifically for environments where external contractors cannot be given directory access — which is best practice. You get the benefits of integration without compromising your security posture." +> "Notice the visitors. Notice the contractor. Notice the anomaly flag. +> None of that appears on today's ACT-only list. This is not a different +> process — it is the same process with the gaps closed." --- --- -## SLIDE 9 — WHAT WE'RE CONNECTING +## SLIDE 8 — THE LEAVER PROBLEM (SPECIFIC AND PROVABLE) -### Your Existing Systems — No Replacement Required +### This Is Happening Right Now in Your Organisation -| System | What We Read | What Stays the Same | -|--------|-------------|---------------------| -| **ACT (Vanderblitz)** | Badge entry/exit events, badge status | ACT remains your access control system | -| **Condecco** | Visitor check-in/out, contractor records | Condecco remains your visitor management system | -| **Booking System** | Active reservations by zone and time | Booking system unchanged | -| **Active Directory** | Identity, department, account status (via extract) | Your IT team retains full AD ownership | +**The typical numbers (industry benchmark):** +- Organisations with 200–500 employees: average **8–15 orphaned active badges** at any given time +- Time from AD disable to badge deactivation (manual process): **3–10 days average** +- Cost of a physical security incident from an ex-employee: **£20,000–£200,000** (legal, investigation, remediation) -**We add:** -- Integration layer (connects the four systems) -- Identity registry (the common person record) -- Occupancy engine (the state machine that tracks who is inside) -- Dashboard, evacuation module, and alerting +**What the integration does:** -> "Every pound you have spent on ACT, Condecco, and your booking system continues to deliver value. We are amplifying that investment, not replacing it." +``` +Morning extract arrives (06:00) + │ + ▼ +Platform compares to yesterday's extract + │ + ▼ +Detects: D. Miller — account_enabled changed to FALSE + │ + ▼ +Automatic notification to Facilities: +"David Miller's AD account was disabled yesterday. + ACT badge EMP-0442 should be reviewed for deactivation." + │ + ▼ +Facilities deactivates badge — same day, not next week +``` + +**No new process for IT. No new process for HR. One notification instead of nothing.** + +> "Your IT team already disables the AD account. They are already doing +> the right thing. We just make sure Facilities hears about it automatically +> — instead of hoping someone remembers to send an email." --- --- -## SLIDE 10 — DELIVERY PLAN +## SLIDE 9 — WHAT ABOUT AD ACCESS? + +### The Contractor Does Not Need Live AD Connectivity -### Phased Delivery — Value at Every Stage +> *You may be wondering: how does the contractor read from Active Directory +> without being given access to our directory?* + +**Answer: they don't need live access. They never touch your AD.** ``` -PHASE 1 (Weeks 1–4) PHASE 2 (Weeks 5–10) -Identity Mapping System Integrations -───────────────── ──────────────────── -✓ Badge → AD linkage ✓ ACT live event feed -✓ Identity registry ✓ Condecco connected -✓ AD extract pipeline ✓ Booking system connected -✓ JML workflow ✓ End-to-end testing - -PHASE 3 (Weeks 11–14) PHASE 4 (Weeks 15–18) -Occupancy Engine Dashboard & Evacuation -──────────────── ────────────────────── -✓ Entry/exit tracking ✓ Live occupancy dashboard -✓ Zone-level occupancy ✓ Evacuation list module -✓ Anti-passback handling ✓ Mobile/tablet optimised -✓ Multi-source reconciliation ✓ PDF export & audit trail - -PHASE 5 (Weeks 19–21) GO LIVE (Week 22) -Alerting & Hardening ───────────────── -✓ Anomaly alerts ✓ Full system in production -✓ Penetration test ✓ Staff training completed -✓ Audit logging ✓ Handover documentation -✓ Security hardening ✓ Support contract active +YOUR IT TEAM CONTRACTOR +──────────── ────────── +Runs a scheduled script → Receives an encrypted +(overnight, automated) file each morning + +Script exports minimum Platform ingests it, +required fields only: detects changes, +name, email, department, sends alerts +account status, floor ``` -**Total: 22 weeks from contract signing to full production** - -> "We use a phased approach so you can see working software at each stage — not a 6-month black box. By the end of Phase 2, your four systems are connected. By Phase 4, your fire marshals have their new tool." +- Your IT team runs a PowerShell script (we provide it — 10 minutes to set up) +- Script runs overnight, drops an encrypted file to a secure endpoint +- Contractor receives data, never connects to your AD +- **Best practice: external contractors should not have AD access. This design enforces that.** --- --- -## SLIDE 11 — INVESTMENT SUMMARY +## SLIDE 10 — HONEST COST -### Cost of Building vs. Cost of Not Building +### What This Actually Costs — No Inflated Consulting Fees + +> *This is an integration project. We are connecting four APIs and building +> a dashboard. We will be honest about what that is worth.* ``` -BUILD INVESTMENT -──────────────── - Year 1 (build + operate): £133,000 – £192,000 - Year 2+ (operate only): £31,000 – £52,000 - 3-Year Total: £170,000 – £294,000 - -COMPARE TO COST OF NOT BUILDING -───────────────────────────────── - Security incident (ex-employee badge): £50,000 – £500,000+ - Regulatory fine (fire safety breach): £5,000 – £50,000 - Space inefficiency (wrong occupancy data): £50,000+/yr - Manual evacuation administration: £5,000 – £10,000/yr - -BREAKEVEN POINT: Typically Year 1–2 +BUILD (one-off) +─────────────── + Discovery + identity mapping: £2,100 + API integrations (all 4 systems): £4,200 + Occupancy logic: £2,100 + Dashboard + evacuation tablet view: £2,800 + Alerts + testing + UAT: £2,800 + Contingency (20%): £2,800 + ───────────────────────────────────────────── + TOTAL BUILD: £16,800 + +ANNUAL RUNNING COST +─────────────────── + Infrastructure (if on your Azure): £0 – £500 + Support & maintenance: £2,900 – £5,800 + ───────────────────────────────────────────── + ANNUAL TOTAL: £2,900 – £6,300 + +3-YEAR TOTAL: £22,600 – £35,400 ``` -**Payment milestones tied to delivery:** -- 20% on contract signing -- 60% across Phases 1–4 completion -- 20% on go-live and handover +**Payment tied to delivery milestones — you pay as we deliver, not upfront.** -> "We are not asking you to fund a black-box project. Payment tracks delivery. If we don't deliver, you don't pay." +> "We are not a large consultancy charging £1,500 a day to staff a team of +> six. This is a focused piece of work. A skilled developer with the right +> tools can deliver it in 6–8 weeks. We are pricing it honestly." --- --- -## SLIDE 12 — WHAT SUCCESS LOOKS LIKE +## SLIDE 11 — IS IT WORTH IT? + +### A Direct Comparison -### Measurable Outcomes — 90 Days After Go-Live +**What you have today — and it costs nothing extra:** +- ACT evacuation list (employees only) ✓ +- Floor wardens (know their regulars) ✓ +- IT can export AD users (on request, not real-time) ✓ +- Condecco visitor log (at reception, not at muster point) ✓ -| Metric | Before | After | Target | -|--------|--------|-------|--------| -| Evacuation list generation time | 15–30 min | < 60 sec | ✓ | -| Active badges for leavers | Unknown (typically 3–8%) | 0% within 24h of departure | ✓ | -| Occupancy data accuracy | ~40% (manual/assumed) | >95% (badge-verified) | ✓ | -| Time to answer "who is in building?" | 20+ minutes | Instant | ✓ | -| JML processing time (planned leaver) | Days (manual) | Next morning (automated) | ✓ | -| JML processing time (immediate leaver) | Hours (ad hoc) | < 30 minutes (process) | ✓ | +**What you get after integration — for £16,800 build:** +- Evacuation list includes visitors and contractors ✓ +- Warden has everything on a tablet, at the muster point ✓ +- Leaver badges flagged automatically, same day ✓ +- Single audit log for regulatory reporting ✓ +- Live occupancy dashboard ✓ -> "We will agree these KPIs with you before we start, and we will report against them 30, 60, and 90 days post go-live." +**The honest question to ask:** + +> *"If we have a real emergency — not a drill, a real one — at 2pm +> on a day when we have visitors on three floors and two contractors +> in the building, how confident are we that the current process +> accounts for every person?"* + +If the answer is "not fully confident" — this project closes that gap for the cost of one regulatory fine, one legal incident, or roughly 24 days of a facilities manager's time spent on manual reconciliation. --- --- -## SLIDE 13 — WHY US +## SLIDE 12 — DELIVERY TIMELINE -### We Built This for Environments Like Yours +### 8 Weeks. Working Software. Nothing Theoretical. -**Our approach:** -- **No big-bang replacement** — we connect what you have -- **Contractor-safe design** — no AD access required from day one -- **Phased delivery** — working software every 4–5 weeks -- **Process + technology** — we write the JML procedures and extract specs, not just the code -- **Handed over, not held hostage** — full documentation and training; you own the system +``` +Week 1–2 Week 3–4 Week 5–6 Week 7–8 +──────── ──────── ──────── ──────── +Discovery Integrations Dashboard & Testing, +& Identity ───────────── Evacuation UAT & +Mapping ACT connected View Go-Live +────────── Condecco ───────────── ──────── +API access connected Warden tablet Wardens +confirmed Booking app live trained + connected Leaver alerts Docs +Badge→email AD extract active handed +linkage ingesting over +complete +``` -**Our experience:** -- Physical security integration projects: [X projects] -- ACT / Vanderblitz integrations: [X] -- Organisations without AD-contractor access: [X] +**End of Week 8:** Your wardens have the tablet app. The leaver alerts are running. The dashboard is live. -> If you have references/case studies, add them here. If not: "We are happy to arrange a reference call with a previous client in a similar environment." +**No phased multi-year rollout. No steering committees. Working software in 8 weeks.** --- --- -## SLIDE 14 — RISKS & HOW WE MANAGE THEM - -### We Are Transparent About What Could Go Wrong +## SLIDE 13 — WHAT WE NEED FROM YOU -| Risk | Likelihood | Our Mitigation | -|------|-----------|----------------| -| ACT API limited documentation | Medium | Vendor engagement budget included; fallback to log file parsing | -| AD extract delivery failures | Low | Automated monitoring; alert within 1 hour of missed extract | -| Immediate leaver notification delay | Medium | Process SLA agreed with HR/IT; badge expiry as safety net | -| Tailgating (unregistered persons) | High (inherent) | Clearly scoped out — platform tracks badged persons only | -| Scope creep | Medium | Fixed-price phases; change request process defined upfront | +### Minimal Asks — Mostly Access, Not Effort -**What we need from you:** -- [ ] API documentation / sandbox access for ACT, Condecco, Booking -- [ ] IT team contact for AD extract setup (4 hours of their time) -- [ ] Facilities contact for ACT badge configuration -- [ ] Named Project Sponsor and decision-maker +| What We Need | Who Provides It | Time Required | +|-------------|----------------|---------------| +| ACT API credentials / documentation | Vanderblitz / your Facilities team | 1 hour | +| Condecco API access | Your Facilities / IT team | 30 minutes | +| Booking system API or DB read access | Your IT team | 1 hour | +| AD extract setup (we provide the script) | Your IT administrator | 2 hours (one-off) | +| Named project contact | You | Ongoing — 30 min/week | +| UAT sign-off (end of Week 7) | Facilities manager + 1–2 wardens | 2 hours | -> "We believe the best partnerships start with honesty about risk. None of the risks above are showstoppers — they are managed." +**Total client effort: approximately 8 hours across 8 weeks.** --- --- -## SLIDE 15 — NEXT STEPS +## SLIDE 14 — NEXT STEPS -### How We Get Started +### Simple Decision. Quick Start. ``` - TODAY WEEK 1 WEEK 2 WEEK 4 - ───── ────── ────── ────── - Agree to Discovery Contract Phase 1 - proceed Workshop Signed Begins - │ │ │ │ - ▼ ▼ ▼ ▼ - Nominate Map all systems Agree KPIs Identity - project and APIs and SLAs registry - sponsor available live + THIS WEEK NEXT WEEK WEEK 2–3 WEEK 4 + ───────── ───────── ──────── ────── + Agree to API access Contract Work + proceed shared signed begins + │ │ │ │ + ▼ ▼ ▼ ▼ + Nominate 30-minute Agree Discovery + a project call with milestones workshop + contact IT/Facilities and KPIs ``` -**We ask for a decision within 2 weeks so we can:** -- Reserve the delivery team -- Schedule the discovery workshop -- Begin API documentation review +**Success measure we will agree upfront:** + +On completion, a fire warden starts a drill, opens the tablet app, and the evacuation list includes every employee, visitor, and contractor currently in the building — generated in under 10 seconds. + +That is the deliverable. That is what you are paying for. --- **Questions?** -Contact: [Contractor Name] -Email: [contact@contractor.com] -Phone: [+44 xxx xxxx xxxx] +Contact: [Contractor Name] +Email: [contact@contractor.com] --- -> Close with: "The building you manage has hundreds of people moving through it every day. Right now, you have four systems watching different pieces of that picture. We will join those pieces together — so that when the fire alarm goes, when a leaver needs to be locked out, when your CEO asks 'how full is the building today?' — you have one answer, instantly, that you can trust." +> Close with: "You already have good systems and good people. What you don't +> have is a single view that brings them together at the moment it matters most. +> We can build that join in 8 weeks for less than the cost of one serious incident. +> That is the whole pitch." --- --- -## APPENDIX A — TECHNICAL ARCHITECTURE (Leave-Behind) +## APPENDIX — FOR TECHNICAL STAKEHOLDERS + +### What We Are Actually Building (Honest Technical Scope) ``` -┌──────────────────────────────────────────────────────────────┐ -│ CONTRACTOR-MANAGED PLATFORM │ -│ │ -│ Data Sources Integration Layer Outputs │ -│ ──────────── ───────────────── ─────── │ -│ ACT (badge events) ──► │ -│ Condecco (visitors)──► API Gateway ► Dashboard │ -│ Booking (reserv.) ───► Identity Registry ► Evacuation List │ -│ AD Extract (daily)───► Occupancy Engine ► Alerts │ -│ JML Processor ► Audit Log │ -│ │ -│ CLIENT OBLIGATIONS │ -│ ────────────────── │ -│ Daily AD extract (automated, 06:00) │ -│ Manual leaver notification (immediate leavers, <30 min) │ -│ Badge type governance in ACT │ -│ │ -└──────────────────────────────────────────────────────────────┘ +COMPONENTS TECHNOLOGY +────────── ────────── +Integration service Node.js or Python — lightweight, + runs on a single small VM or + Azure Function / AWS Lambda + +Identity registry PostgreSQL — single table of + ~500–2000 person records + +Occupancy state In-memory + DB — simple entry/exit + counter per zone, reset daily + +Dashboard Power BI (if M365 licence exists) + or Grafana (open source, free) + or lightweight React app (if custom + look/feel required — adds 3 days) + +Evacuation tablet view Responsive web app — works on any + tablet browser, no app store required + +Alerting Email + Teams webhook — no additional + platform required + +AD extract ingestion Scheduled job reads JSON/CSV drop + from SFTP or HTTPS endpoint ``` ---- +### What Could Make It More Expensive + +| Scenario | Additional Cost | +|----------|----------------| +| ACT has no REST API — requires log file parsing | +£2,000–£4,000 | +| Condecco requires vendor engagement for API access | +£1,000–£2,000 | +| Client requires custom-branded dashboard (not Power BI/Grafana) | +£2,000–£3,500 | +| High-availability / failover hosting required | +£1,500–£3,000/yr | +| Client requires ISO 27001-aligned delivery documentation | +£1,500 | -## APPENDIX B — GLOSSARY +### What Makes It Cheaper -| Term | Definition | -|------|-----------| -| **ACT** | Access Control Technology — the door/badge access system managed by Vanderblitz | -| **Condecco** | Visitor and contractor management platform | -| **AD** | Active Directory — Microsoft's identity and authentication directory | -| **JML** | Joiner / Mover / Leaver — the lifecycle of an employee or contractor identity | -| **Identity Registry** | The contractor-maintained database that links badge IDs, email addresses, and AD records into a single person record | -| **Occupancy Engine** | The software component that tracks who is inside the building in real time based on badge entry and exit events | -| **Anti-passback** | A physical access control rule that prevents a badge from being used to enter the same zone twice without an intervening exit | -| **PSIM** | Physical Security Information Management — the category of software that integrates multiple security systems into a single view | +| Scenario | Saving | +|----------|--------| +| Client hosts on existing Azure subscription | -£1,320–£2,520/yr | +| Client has Power BI (M365) — no dashboard build needed | -£1,400 | +| AD extract script already exists | -£700 |