Tough Facilities Management Questions And The Answers

David Herring

First Some common Infrastructure Questions

  • Technical Schematic – A visual diagram showing how the system and all the infrastructure connect and interact (camera’s, sims, data transfer etc)

We have a number of schematic diagrams on out website that allow you to interactively drill into the technical design of Visitor Express. The overview of all components is show here. Click here see how a camera interfaces in a parking solution. If you want a detailed end user manual then please view one of our post installation guides

  • Cloud - What cloud service is consumed? (Google, AWS etc)

We use OVH as our primary hosting provider. For UK based clients we only use their UK based services. Security of infrastructure is key for Visitor Express usage in both Government and financial sectors. The hosting meets multiple standards and certifications (PCI-DSS certification, ISO/IEC 27001 certification, SOC 1 TYPE II and SOC 2 TYPE II certificates, etc.). OVH Hosting security

  • Cloud - Is the cloud service public or private cloud? (Public being shared with other clients, private being our own non shared cloud instance)

Only use private cloud services for all customer facing and data storage roles. We do have public cloud services for demonstration and development services. The cloud access is only via secure encrypted protocols HTTPS and SSH. For secure Shell Protocol - SSH, we only allow access from designated IP addresses and for infrastructure changes we require two factor authentication. These high security measures are independently enforced by both an edge of network firewall provided by OVH, and also a Unix based server firewall configured for Visitor Express on every production server.

  • Data Retention – Can we remove all visitor data automatically at set intervals (every 60, 90 days etc)

Yes. We have powerful django-Q services that allow regular data cleansing at set intervals. This allows data removal using intelligent Django based services that can be set to filter on flexible business logic requirements (older than xx days, ticked a GDPR acknowledgement, to user organisation filters, etc ). The Django-Q processes are full customable by clients at the admin level interface.

  • Penetration Testing – Can we have a copy of the latest Penetration test completed, with details of the vendor who completed it

We perform yearly penetration tests with third party providers, the most recent one was with Samurai Security UK performed in Feburary 2023. These are done fully independently, under the control of one of our clients. We fully passed this mpost recent penetration test, and as a part of this process was also full passed the [Cyber Essentials Acceditation] (/static/pdf/cyber-essentials-netfmukltd-2023-08-08-13-21-51.pdf). NetFM can facilitate any third party penetration test, we always require a written request to be submitted and approived prior - otherwise such testing will be deemed as a denial of service attack. In house penetration tests using the ZAP. We also run full automated static application security test - sast on our code based using the gitlab continuous integration hooks. We are able to provide gitlab access to customers requiring code level security reviews. We do not publicly share penetration test across clients. The redacted full report of an older penetration test performed by Rapid1 on the visitor express platform can be found here Penetration Test Report.

  • SSO – Have Visitor Express implemented single sign on with any other company

Single Sign On is used daily on Visitor Express. The Azure based SAML service is used by Skyscanner. As well as supporting Microsoft SAML based authentication, Visitor Express fully supports the Django Authentication plugin services - so can support all most of social media logins (google, facebook|Meta, LinkedIn) and popular open source service Auth0. The airport parking service at Glasgow Airport supports customer logins uses a bespoke uniq email login service as part of its customer loyalty programme.

The entire Azure setup process is fully documented here.

  • Data Upload – Can we do an automated daily, weekly, or monthly data upload, who is that done by? Can it be automated?

All models within the Visitor Express service fully support three methods of data management. Firstly there is a full admin only web based interfaces that allows full textual search and edit for all data models. Secondly there is full API access for add/delete/edit functions to be automated by coupling Visitor Express to other processes. Lastly Visitor Express supports bulk upload and export of data via CSV files.

All backend data is held within a Django-ORM service to facilitate modern easy access for all web services. The physical data for the Django ORM is held in a modern postgres database, the data is held on mirrored SSD disks to provide the fastest access available. The postgres database is configured with a live replication service, so there is full mirroring also at the server level. We take incremental backups hourly and full backups daily to separate disk storage - all held with secure hosting services of OVH at different UK based locations.

  • API – Does Visitor Express have any API documentation, or evidence of where they have used an API with another system

Visitor Express has a full RESTful API which can be openly browsed on our demo Visitor management service Titanium APIs. This API has been used by Vodafone to directly link Visitor Express to PeopleSoft HR services and also Proxyclick front of house services. Glasgow Airport parking services - Airport Park and Ride has linked the Visitor Express service with a payments gateway using handepay. Devon county council have link Visitor Express to the Civica payment service. Canary Wharf carpark service has linked Visitor Express to the takepaymentsplus cash free payment service.

  • Accessibility compliance: the app must meet WCAG 2.1 AA standard

We fully test all our web interfaces for accessibility compliance using the Pally which is configured to use the WCAG2.1 rules. The use of Pally is automated using the GitLab CI/CD, so a full accessibility report is generated on all frontend code changes, and this is viewable to all clients with gitlab access.