This page maps each SHIELD stage to what was actually done at LiStDan Finance. Every stage produced a concrete output that fed directly into the next one.
Before any framework was applied, the full operational context of LiStDan Finance was established. The Risk Management Scope Document was produced and confirmed, defining the assessment boundary across Azure-hosted infrastructure, mobile applications, core backend services, all eight third-party vendor relationships, and the complete data processing landscape. Out-of-scope items were formally documented with written justification. Stakeholders were identified and roles assigned.
Output: Risk Management Scope Document
Before reviewing a single policy document, a structured set of risk hypotheses was formed based on LiStDan Finance’s business model, data landscape, and industry threat profile. Three primary hypotheses were formed: that IAM configurations in an Azure-hosted fintech would carry predictable access control gaps; that GDPR documentation would be materially absent given the scale of personal data processing; and that incident response posture would be early-stage given the company’s size and maturity. These hypotheses directed the depth of the Inspect stage toward the areas of highest probable risk.
Output: Structured risk hypothesis log (internal)
Every control was assessed against evidence. A control was only marked compliant when documentation confirmed it. Seven project documents were reviewed. All eight vendor relationships were assessed across three dedicated evaluation files. Thirty-six controls were evaluated across ISO 27001:2022 Annex A, NIST CSF v1.1, and GDPR. Every Non-Compliant finding was anchored to a specific evidence absence or documentation gap. Fourteen evidence items were formally tracked as either provided or not provided.
Output: Evidence log, gap narrative per finding, compliance status per control
Findings were scored using a Likelihood x Impact model on a 1–3 scale, producing risk scores from 1 to 9. A regulatory weight multiplier was applied to GDPR findings to reflect their direct enforcement exposure. Findings were assigned to three remediation phases: Phase 1 (0–30 days), Phase 2 (30–90 days), and Phase 3 (90–180 days). Twenty-two High-priority findings and thirteen Medium-priority findings were identified.
Output: Scored risk register, phased remediation roadmap
Every finding was formally documented with a Finding ID, evidence reviewed, gap narrative, recommendation, priority tier, and named owner. Three major written deliverables were produced: the Gap Analysis Report (36 findings with full evidence log and remediation roadmap), the Mitigation Recommendation Report (step-by-step implementation guidance for all 36 findings), and the Risk Assessment Report (executive-level synthesis).