FinancialSecurityPlan.md
May 30, 2026 ยท View on GitHub
๐ฐ Riksdagsmonitor โ Financial & Security Plan
๐ Infrastructure Cost Analysis & Security Investment
๐ Secure Development Policy ยท Classification Framework
๐ Document Owner: CEO | ๐ Version: 1.3 | ๐
Last Updated: 2026-05-28 (UTC)
๐ Review Cycle: Annual | โฐ Next Review: 2027-05-28
๐ Purpose
This document outlines the financial and security implementation plan for the Riksdagsmonitor platform โ a static HTML5/CSS3 website providing Swedish Parliament transparency across 14 languages.
Riksdagsmonitor uses a dual-deployment architecture with AWS CloudFront + S3 as the primary delivery mechanism and GitHub Pages as the disaster recovery standby, as detailed in the Business Continuity Plan. For architectural context, see the Architecture Documentation and End-of-Life Strategy.
๐ต Cost Summary โ Dual Deployment Architecture
Cash Flow Overview
| Time Frame | Monthly (USD) | Annual (USD) |
|---|---|---|
| Primary Infrastructure (AWS) | $7.50 | $90.00 |
| DR Infrastructure (GitHub Pages) | $0.00 | $0.00 |
| Domain Registration | $1.00 | $12.00 |
| Security Tooling | $0.00 | $0.00 |
| Development CI/CD | $0.00 | $0.00 |
| Grand Total | $8.50 | $102.00 |
Note: Riksdagsmonitor leverages free-tier and open-source services extensively. The primary recurring costs are AWS S3/CloudFront hosting (including Route 53 DNS) and domain registration. All security tooling is free for open-source projects.
๐๏ธ Infrastructure Cost Breakdown
Primary Deployment: AWS CloudFront + S3
| Component | AWS Service | Monthly (USD) | Annual (USD) | Notes |
|---|---|---|---|---|
| Static Hosting | S3 Standard | $0.50 | $6.00 | ~5 GB storage, static HTML/CSS/JS/data |
| CDN | CloudFront | $5.00 | $60.00 | Global edge caching, ~50 GB/month transfer |
| SSL/TLS | ACM (Certificate Manager) | $0.00 | $0.00 | Free public certificates |
| DNS | Route 53 | $1.00 | $12.00 | Hosted zone + health checks |
| Monitoring | CloudWatch (basic) | $0.00 | $0.00 | Basic metrics included |
| Failover | Route 53 Health Checks | $1.00 | $12.00 | 2 health checks for failover |
| Subtotal (AWS) | $7.50 | $90.00 |
Disaster Recovery: GitHub Pages (Standby)
| Component | Service | Monthly (USD) | Annual (USD) | Notes |
|---|---|---|---|---|
| Hosting | GitHub Pages | $0.00 | $0.00 | Free for public repos |
| CDN | GitHub Pages CDN (Fastly) | $0.00 | $0.00 | Included with GitHub Pages |
| SSL/TLS | Let's Encrypt (via GitHub) | $0.00 | $0.00 | Automatic HTTPS |
| Subtotal (DR) | $0.00 | $0.00 |
Domain & Registration
| Component | Service | Monthly (USD) | Annual (USD) | Notes |
|---|---|---|---|---|
| Domain | riksdagsmonitor.com | $1.00 | $12.00 | Annual domain renewal |
| DNS | Route 53 Hosted Zone | $0.00 | $0.00 | Included in AWS section above (Route 53 line) |
| SSL Certificate | ACM | $0.00 | $0.00 | Free for AWS services |
| Subtotal (Domain) | $1.00 | $12.00 | Domain registration only; DNS cost in AWS section |
๐ Security Investment Analysis
Current Security Services (All Free Tier / Open Source)
| Security Service | Provider | Annual Cost | ISMS Policy Alignment |
|---|---|---|---|
| SAST Scanning | CodeQL | $0.00 | Secure Development Policy |
| Dependency Scanning | Dependabot + npm audit | $0.00 | Vulnerability Management |
| Secret Scanning | GitHub Secret Scanning | $0.00 | Cryptography Policy |
| Supply Chain Security | SLSA Build Provenance + OpenSSF Scorecard | $0.00 | Secure Development Policy |
| SBOM Generation | GitHub SBOM (SPDX format) | $0.00 | Secure Development Policy |
| CI/CD Hardening | step-security/harden-runner | $0.00 | Secure Development Policy |
| HTML Validation | HTMLHint | $0.00 | Secure Development Policy |
| Dead Code Detection | knip | $0.00 | Secure Development Policy |
| Unit Testing | Vitest | $0.00 | Secure Development Policy |
| E2E Testing | Cypress (OSS) | $0.00 | Secure Development Policy |
| Performance Monitoring | Lighthouse CI | $0.00 | Quality gates |
| Total Security Tooling | $0.00 |
Security ROI Metrics
| Metric | Value | Source |
|---|---|---|
| Total Annual Security Investment | $0/year | Free OSS tooling |
| Total Annual Infrastructure | $102/year | AWS + domain costs |
| Security-to-Infrastructure Ratio | Included | Security is built-in, not bolt-on |
| Vulnerability Detection Rate | >95% | Automated scanning pipeline (CodeQL + Dependabot + npm audit) |
| Mean Time to Detect (MTTD) | <24 hours | Automated CI/CD scanning on every push |
| Mean Time to Remediate (MTTR) | <48 hours critical, <7 days high | Dependabot auto-merge + manual review |
| Supply Chain Score | OpenSSF Scorecard | Automated weekly assessment |
| Build Attestation | SLSA Level 3 | Provenance attached to every release |
๐ก๏ธ ISMS Policy Alignment
Security Investment by ISMS Policy
| ๐ก๏ธ ISMS Policy | ๐ฐ Annual Investment | ๐ง Services | ๐ Business Value |
|---|---|---|---|
| Incident Response Plan | $12.00 | Route 53 Health Checks | Automated failover detection DR activation capability |
| Vulnerability Management | $0.00 | Dependabot + CodeQL + npm audit | Continuous vulnerability scanning Automated patch PRs |
| Cryptography Policy | $0.00 | ACM + SRI + GitHub Secret Scanning | TLS 1.3 certificates Subresource integrity Secret leak prevention |
| Network Security Policy | $60.00 | CloudFront | DDoS protection (AWS Shield Standard) Edge caching reduces origin exposure |
| Information Security Policy | $0.00 | CloudWatch (basic) + GitHub Audit Log | Infrastructure monitoring Repository access auditing |
| Business Continuity Plan | $30.00 | S3 ($6) + Route 53 DNS ($12) + Domain ($12) | Dual-deployment resilience GitHub Pages DR at $0 additional |
| Secure Development Policy | $0.00 | SLSA + SBOM + harden-runner | Supply chain security Build provenance attestation |
| Total | $102.00 |
Cost Efficiency Analysis
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Annual Cost Distribution โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ CloudFront CDN โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ \$60 (59%)โ
โ Route 53 DNS โโโโโโ \$12 (12%) โ
โ Route 53 Health โโโโโโ \$12 (12%) โ
โ Domain Registration โโโโโโ \$12 (12%) โ
โ S3 Storage โโโ \$6 (6%) โ
โ Security Tooling (included in free tier) \$0 (0%) โ
โ โ
โ Total: \$102/year (\$8.50/month) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Key Insight: By leveraging open-source security tooling and GitHub's free tier for public repositories, Riksdagsmonitor achieves enterprise-grade security posture at near-zero security cost. The entire annual budget of $102 is spent on infrastructure availability, not security tooling.
๐ก Included Security Features (Zero Additional Cost)
AWS Shield Standard (Included with CloudFront)
- DDoS Protection: Automatic layer 3/4 DDoS mitigation
- Always-On Detection: Network flow monitoring for volumetric attacks
- No Additional Cost: Included with every CloudFront distribution
GitHub Advanced Security (Free for Public Repos)
- CodeQL Analysis: Semantic code analysis for JavaScript/TypeScript vulnerabilities
- Dependabot Alerts: Real-time vulnerability notifications for all dependencies
- Secret Scanning: Detection of leaked credentials in commits
- Security Advisories: Coordinated vulnerability disclosure workflow
Build Integrity (Free)
- SLSA Build Provenance: Cryptographic attestation of build process
- SBOM (SPDX): Software Bill of Materials for supply chain transparency
- SRI Hashes: Subresource Integrity for all CDN-loaded assets
- SHA-Pinned Actions: Supply chain protection for CI/CD pipeline
๐ Future Cost Projection
Potential Cost Increases
| Scenario | Trigger | Additional Monthly Cost | Additional Annual Cost |
|---|---|---|---|
| Traffic Growth (10x) | Viral content / election period | +$20.00 | +$240.00 |
| AWS WAF Addition | Targeted attack mitigation | +$10.00 | +$120.00 |
| CloudFront Functions | Edge-side language routing | +$2.00 | +$24.00 |
| AWS GuardDuty | Enhanced threat detection | +$15.00 | +$180.00 |
| Worst-Case Total | All scenarios combined | $59.00 | $708.00 |
Cost Optimisation Opportunities
| Opportunity | Potential Savings | Implementation |
|---|---|---|
| CloudFront Reserved Capacity | 10โ20% on data transfer | Commit to 12-month pricing |
| S3 Intelligent Tiering | 5โ10% on storage | Enable for data archives |
| Consolidated billing | Shared across Hack23 repos | AWS Organizations |
๐ Related Documents
๐๏ธ Architecture & Planning
- ๐๏ธ Architecture โ System architecture overview
- ๐ Future Architecture โ Long-term architectural vision
- ๐ End-of-Life Strategy โ Technology lifecycle management
- ๐ README โ Project overview and quick links
๐ก๏ธ Security & Compliance
- ๐ก๏ธ Security Architecture โ Security model details
- ๐ฏ Threat Model โ Risk-driven justification for security services
- ๐ CRA Assessment โ EU Cyber Resilience Act compliance
- ๐ Security Policy โ Vulnerability disclosure and management
๐ Operations & Lifecycle
- ๐ BCP Plan โ Business continuity and disaster recovery
- ๐ Release Process โ Release procedures with attestations
- ๐ CI/CD Workflows โ Security-hardened CI/CD pipelines
- ๐ฎ Future Workflows โ Enhanced CI/CD roadmap
๐ ISMS Policies
- ๐ Information Security Policy โ Overall security governance
- ๐ Vulnerability Management โ Security testing and remediation
- ๐จ Incident Response Plan โ Security incident management
- ๐ท๏ธ Classification Framework โ Business impact and risk assessment
๐ Document Control:
โ
Approved by: James Pether Sรถrling, CEO
๐ค Distribution: Public
๐ท๏ธ Classification:
๐
Effective Date: 2026-05-28
โฐ Next Review: 2027-05-28
๐ฏ Framework Compliance:
๐ IMF Integration โ Financial Risk Note
Effective: 2026-04-24 ยท Authoritative hub:
analysis/imf/README.mdยทanalysis/imf/agentic-integration.mdยทanalysis/imf/indicators-inventory.jsonยทanalysis/imf/data-dictionary.mdยท.github/aw/ECONOMIC_DATA_CONTRACT.md
IMF cost surface
| Item | Cost | Notes |
|---|---|---|
| IMF Datamapper REST API | โฌ0 | Free, public, anonymous; no paid tier |
| IMF SDMX 3.0 endpoint | โฌ0 | Free, public, anonymous; no paid tier |
| IMF data redistribution licence | โฌ0 | Attribution required โ no licence fee |
| Egress bandwidth (IMF responses) | Negligible | <50 MB/month per workflow on cache-first strategy |
IMF financial risks
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| IMF introduces a paid tier for high-volume access | LOW | LOW | Cache-first design keeps us under any plausible free-tier ceiling |
| IMF Datamapper deprecation forces migration to commercial provider (e.g., Refinitiv, Bloomberg) | LOW | HIGH | SDMX 3.0 is the open standard fallback; no commercial provider needed for the open IMF data we use |
| IMF data licence change requires paid attribution scheme | LOW | LOW | Attribution is current free requirement; downside is operational not financial |
IMF financial benefit
The IMF-primary, WB-residue, SCB-Sweden split avoids any commercial economic-data subscription that the platform might otherwise need (Bloomberg Terminal Data Feed ~โฌ20K/seat/year, Refinitiv ~โฌ15K/seat/year). Free-tier IMF coverage is the deliberate financial-resilience choice.
Canonical rule. Every economic claim in a Riksdagsmonitor article cites an IMF dataflow first; World Bank citations are reserved for governance, environment and social residue (the classes IMF does not publish). SCB is the Swedish-specific ground truth layer. See ECONOMIC_DATA_CONTRACT.md v2.1 for the banned-phrase list and vintage discipline (>6 mo โ annotation).
๐ Hack23 Ecosystem
| ๐ Platforms | ๐ฆ Open-Source Projects | ๐ก๏ธ Governance & Standards |
|---|---|---|
|
๐ณ๏ธ Riksdagsmonitor โ Swedish Parliament intelligence ๐ช๐บ EU Parliament Monitor โ European coverage ๐ต๏ธ Citizen Intelligence Agency โ political-data engine ๐ Hack23 AB โ corporate site ๐ฐ Hack23 Blog โ engineering & policy ๐ผ Hack23 on LinkedIn |
๐ณ๏ธ Hack23/riksdagsmonitor ๐ต๏ธ Hack23/cia ๐ช๐บ Hack23/euparliamentmonitor ๐ Hack23/european-parliament-mcp โ Hack23/cia-compliance-manager ๐ฅ Hack23/black-trigram ๐ Hack23/homepage |
๐ก๏ธ Hack23 ISMS-PUBLIC โ public ISMS ๐ Information Security Policy ๐ค AI Policy ๐งช Secure Development Policy ๐ฏ Threat Modeling Policy โ ๏ธ Vulnerability Management ๐ท๏ธ Classification Framework |
๐ณ๏ธ Empower citizens ยท ๐ Strengthen democratic accountability ยท ๐ต๏ธ Illuminate the political process
ยฉ 2008โ2026 Hack23 AB (Org.nr 559534-7807) ยท Maintainer: James Pether Sรถrling, CISSP CISM