FinancialSecurityPlan.md

May 30, 2026 ยท View on GitHub

Hack23 Logo

๐Ÿ’ฐ Riksdagsmonitor โ€” Financial & Security Plan

๐Ÿ“Š Infrastructure Cost Analysis & Security Investment
๐Ÿ”— Secure Development Policy ยท Classification Framework

Owner Version Effective Date Review Cycle

๐Ÿ“‹ Document Owner: CEO | ๐Ÿ“„ Version: 1.3 | ๐Ÿ“… Last Updated: 2026-05-28 (UTC)
๐Ÿ”„ Review Cycle: Annual | โฐ Next Review: 2027-05-28


๐Ÿ“‹ Purpose

This document outlines the financial and security implementation plan for the Riksdagsmonitor platform โ€” a static HTML5/CSS3 website providing Swedish Parliament transparency across 14 languages.

Riksdagsmonitor uses a dual-deployment architecture with AWS CloudFront + S3 as the primary delivery mechanism and GitHub Pages as the disaster recovery standby, as detailed in the Business Continuity Plan. For architectural context, see the Architecture Documentation and End-of-Life Strategy.


๐Ÿ’ต Cost Summary โ€” Dual Deployment Architecture

Cash Flow Overview

Time FrameMonthly (USD)Annual (USD)
Primary Infrastructure (AWS)$7.50$90.00
DR Infrastructure (GitHub Pages)$0.00$0.00
Domain Registration$1.00$12.00
Security Tooling$0.00$0.00
Development CI/CD$0.00$0.00
Grand Total$8.50$102.00

Note: Riksdagsmonitor leverages free-tier and open-source services extensively. The primary recurring costs are AWS S3/CloudFront hosting (including Route 53 DNS) and domain registration. All security tooling is free for open-source projects.


๐Ÿ—๏ธ Infrastructure Cost Breakdown

Primary Deployment: AWS CloudFront + S3

ComponentAWS ServiceMonthly (USD)Annual (USD)Notes
Static HostingS3 Standard$0.50$6.00~5 GB storage, static HTML/CSS/JS/data
CDNCloudFront$5.00$60.00Global edge caching, ~50 GB/month transfer
SSL/TLSACM (Certificate Manager)$0.00$0.00Free public certificates
DNSRoute 53$1.00$12.00Hosted zone + health checks
MonitoringCloudWatch (basic)$0.00$0.00Basic metrics included
FailoverRoute 53 Health Checks$1.00$12.002 health checks for failover
Subtotal (AWS)$7.50$90.00

Disaster Recovery: GitHub Pages (Standby)

ComponentServiceMonthly (USD)Annual (USD)Notes
HostingGitHub Pages$0.00$0.00Free for public repos
CDNGitHub Pages CDN (Fastly)$0.00$0.00Included with GitHub Pages
SSL/TLSLet's Encrypt (via GitHub)$0.00$0.00Automatic HTTPS
Subtotal (DR)$0.00$0.00

Domain & Registration

ComponentServiceMonthly (USD)Annual (USD)Notes
Domainriksdagsmonitor.com$1.00$12.00Annual domain renewal
DNSRoute 53 Hosted Zone$0.00$0.00Included in AWS section above (Route 53 line)
SSL CertificateACM$0.00$0.00Free for AWS services
Subtotal (Domain)$1.00$12.00Domain registration only; DNS cost in AWS section

๐Ÿ” Security Investment Analysis

Current Security Services (All Free Tier / Open Source)

Security ServiceProviderAnnual CostISMS Policy Alignment
SAST ScanningCodeQL$0.00Secure Development Policy
Dependency ScanningDependabot + npm audit$0.00Vulnerability Management
Secret ScanningGitHub Secret Scanning$0.00Cryptography Policy
Supply Chain SecuritySLSA Build Provenance + OpenSSF Scorecard$0.00Secure Development Policy
SBOM GenerationGitHub SBOM (SPDX format)$0.00Secure Development Policy
CI/CD Hardeningstep-security/harden-runner$0.00Secure Development Policy
HTML ValidationHTMLHint$0.00Secure Development Policy
Dead Code Detectionknip$0.00Secure Development Policy
Unit TestingVitest$0.00Secure Development Policy
E2E TestingCypress (OSS)$0.00Secure Development Policy
Performance MonitoringLighthouse CI$0.00Quality gates
Total Security Tooling$0.00

Security ROI Metrics

MetricValueSource
Total Annual Security Investment$0/yearFree OSS tooling
Total Annual Infrastructure$102/yearAWS + domain costs
Security-to-Infrastructure RatioIncludedSecurity is built-in, not bolt-on
Vulnerability Detection Rate>95%Automated scanning pipeline (CodeQL + Dependabot + npm audit)
Mean Time to Detect (MTTD)<24 hoursAutomated CI/CD scanning on every push
Mean Time to Remediate (MTTR)<48 hours critical, <7 days highDependabot auto-merge + manual review
Supply Chain ScoreOpenSSF ScorecardAutomated weekly assessment
Build AttestationSLSA Level 3Provenance attached to every release

๐Ÿ›ก๏ธ ISMS Policy Alignment

Security Investment by ISMS Policy

๐Ÿ›ก๏ธ ISMS Policy๐Ÿ’ฐ Annual Investment๐Ÿ”ง Services๐Ÿ“Š Business Value
Incident Response Plan$12.00Route 53 Health ChecksAutomated failover detection
DR activation capability
Vulnerability Management$0.00Dependabot + CodeQL + npm auditContinuous vulnerability scanning
Automated patch PRs
Cryptography Policy$0.00ACM + SRI + GitHub Secret ScanningTLS 1.3 certificates
Subresource integrity
Secret leak prevention
Network Security Policy$60.00CloudFrontDDoS protection (AWS Shield Standard)
Edge caching reduces origin exposure
Information Security Policy$0.00CloudWatch (basic) + GitHub Audit LogInfrastructure monitoring
Repository access auditing
Business Continuity Plan$30.00S3 ($6) + Route 53 DNS ($12) + Domain ($12)Dual-deployment resilience
GitHub Pages DR at $0 additional
Secure Development Policy$0.00SLSA + SBOM + harden-runnerSupply chain security
Build provenance attestation
Total$102.00

Cost Efficiency Analysis

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                    Annual Cost Distribution                      โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚                                                                  โ”‚
โ”‚  CloudFront CDN      โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ  \$60 (59%)โ”‚
โ”‚  Route 53 DNS        โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ                            \$12 (12%) โ”‚
โ”‚  Route 53 Health     โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ                            \$12 (12%) โ”‚
โ”‚  Domain Registration โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ                            \$12 (12%) โ”‚
โ”‚  S3 Storage          โ–ˆโ–ˆโ–ˆ                               \$6  (6%)  โ”‚
โ”‚  Security Tooling    (included in free tier)            \$0  (0%) โ”‚
โ”‚                                                                  โ”‚
โ”‚  Total: \$102/year (\$8.50/month)                                  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Key Insight: By leveraging open-source security tooling and GitHub's free tier for public repositories, Riksdagsmonitor achieves enterprise-grade security posture at near-zero security cost. The entire annual budget of $102 is spent on infrastructure availability, not security tooling.


๐Ÿ’ก Included Security Features (Zero Additional Cost)

AWS Shield Standard (Included with CloudFront)

  • DDoS Protection: Automatic layer 3/4 DDoS mitigation
  • Always-On Detection: Network flow monitoring for volumetric attacks
  • No Additional Cost: Included with every CloudFront distribution

GitHub Advanced Security (Free for Public Repos)

  • CodeQL Analysis: Semantic code analysis for JavaScript/TypeScript vulnerabilities
  • Dependabot Alerts: Real-time vulnerability notifications for all dependencies
  • Secret Scanning: Detection of leaked credentials in commits
  • Security Advisories: Coordinated vulnerability disclosure workflow

Build Integrity (Free)

  • SLSA Build Provenance: Cryptographic attestation of build process
  • SBOM (SPDX): Software Bill of Materials for supply chain transparency
  • SRI Hashes: Subresource Integrity for all CDN-loaded assets
  • SHA-Pinned Actions: Supply chain protection for CI/CD pipeline

๐Ÿ“ˆ Future Cost Projection

Potential Cost Increases

ScenarioTriggerAdditional Monthly CostAdditional Annual Cost
Traffic Growth (10x)Viral content / election period+$20.00+$240.00
AWS WAF AdditionTargeted attack mitigation+$10.00+$120.00
CloudFront FunctionsEdge-side language routing+$2.00+$24.00
AWS GuardDutyEnhanced threat detection+$15.00+$180.00
Worst-Case TotalAll scenarios combined$59.00$708.00

Cost Optimisation Opportunities

OpportunityPotential SavingsImplementation
CloudFront Reserved Capacity10โ€“20% on data transferCommit to 12-month pricing
S3 Intelligent Tiering5โ€“10% on storageEnable for data archives
Consolidated billingShared across Hack23 reposAWS Organizations

๐Ÿ—๏ธ Architecture & Planning

๐Ÿ›ก๏ธ Security & Compliance

๐Ÿ”„ Operations & Lifecycle

๐Ÿ” ISMS Policies


๐Ÿ“‹ Document Control:
โœ… Approved by: James Pether Sรถrling, CEO
๐Ÿ“ค Distribution: Public
๐Ÿท๏ธ Classification: Confidentiality: Public Integrity: Moderate Availability: Standard
๐Ÿ“… Effective Date: 2026-05-28
โฐ Next Review: 2027-05-28
๐ŸŽฏ Framework Compliance: ISO 27001 NIST CSF 2.0 CIS Controls


๐ŸŒ IMF Integration โ€” Financial Risk Note

Effective: 2026-04-24 ยท Authoritative hub: analysis/imf/README.md ยท analysis/imf/agentic-integration.md ยท analysis/imf/indicators-inventory.json ยท analysis/imf/data-dictionary.md ยท .github/aw/ECONOMIC_DATA_CONTRACT.md

IMF cost surface

ItemCostNotes
IMF Datamapper REST APIโ‚ฌ0Free, public, anonymous; no paid tier
IMF SDMX 3.0 endpointโ‚ฌ0Free, public, anonymous; no paid tier
IMF data redistribution licenceโ‚ฌ0Attribution required โ€” no licence fee
Egress bandwidth (IMF responses)Negligible<50 MB/month per workflow on cache-first strategy

IMF financial risks

RiskLikelihoodImpactMitigation
IMF introduces a paid tier for high-volume accessLOWLOWCache-first design keeps us under any plausible free-tier ceiling
IMF Datamapper deprecation forces migration to commercial provider (e.g., Refinitiv, Bloomberg)LOWHIGHSDMX 3.0 is the open standard fallback; no commercial provider needed for the open IMF data we use
IMF data licence change requires paid attribution schemeLOWLOWAttribution is current free requirement; downside is operational not financial

IMF financial benefit

The IMF-primary, WB-residue, SCB-Sweden split avoids any commercial economic-data subscription that the platform might otherwise need (Bloomberg Terminal Data Feed ~โ‚ฌ20K/seat/year, Refinitiv ~โ‚ฌ15K/seat/year). Free-tier IMF coverage is the deliberate financial-resilience choice.

Canonical rule. Every economic claim in a Riksdagsmonitor article cites an IMF dataflow first; World Bank citations are reserved for governance, environment and social residue (the classes IMF does not publish). SCB is the Swedish-specific ground truth layer. See ECONOMIC_DATA_CONTRACT.md v2.1 for the banned-phrase list and vintage discipline (>6 mo โ†’ annotation).


๐Ÿ”— Hack23 Ecosystem

๐ŸŒ Platforms ๐Ÿ“ฆ Open-Source Projects ๐Ÿ›ก๏ธ Governance & Standards
๐Ÿ—ณ๏ธ Riksdagsmonitor โ€” Swedish Parliament intelligence
๐Ÿ‡ช๐Ÿ‡บ EU Parliament Monitor โ€” European coverage
๐Ÿ•ต๏ธ Citizen Intelligence Agency โ€” political-data engine
๐ŸŒ Hack23 AB โ€” corporate site
๐Ÿ“ฐ Hack23 Blog โ€” engineering & policy
๐Ÿ’ผ Hack23 on LinkedIn
๐Ÿ—ณ๏ธ Hack23/riksdagsmonitor
๐Ÿ•ต๏ธ Hack23/cia
๐Ÿ‡ช๐Ÿ‡บ Hack23/euparliamentmonitor
๐Ÿ”Œ Hack23/european-parliament-mcp
โœ… Hack23/cia-compliance-manager
๐Ÿฅ‹ Hack23/black-trigram
๐Ÿ  Hack23/homepage
๐Ÿ›ก๏ธ Hack23 ISMS-PUBLIC โ€” public ISMS
๐Ÿ”’ Information Security Policy
๐Ÿค– AI Policy
๐Ÿงช Secure Development Policy
๐ŸŽฏ Threat Modeling Policy
โš ๏ธ Vulnerability Management
๐Ÿท๏ธ Classification Framework

OpenSSF Best Practices OpenSSF Scorecard ISO 27001:2022 NIST CSF 2.0 CIS Controls v8.1 Apache 2.0

๐Ÿ—ณ๏ธ Empower citizens ยท ๐Ÿ” Strengthen democratic accountability ยท ๐Ÿ•ต๏ธ Illuminate the political process

ยฉ 2008โ€“2026 Hack23 AB (Org.nr 559534-7807) ยท Maintainer: James Pether Sรถrling, CISSP CISM