D-004 - NIST Security Assessment

Summary – NIST Security Assessment

Triple EEE IT Services will assess the security and compliance capabilities of your organization against the de-facto industry standard of the US National Institute of Standards and Technology (NIST) Cyber Security Framework. The NIST framework covers risk identification, asset protection, incident detection, response, and recovery. The assessment delivers a clearly structured report and is invaluable input to your risk posture, your cyber strategy, and your cyber capability roadmap.

Value Proposition

Cyber security and legal compliance are critical capabilities for any organization in the light of ever evolving cyber threats and increasing regulatory pressures. Oil & Gas organizations have traditionally seen an above average exposure to cyber threats, given their geopolitical position. The required capabilities to effectively defend the organization are wide ranging and complex.

A NIST assessment of your capabilities will provide you with a clear benchmark against the NIST cyber security framework , the de-facto industry standard, and will provide invaluable insights for governing your security and compliance capabilities.


The assessment will be conducted through a review of your risk matrix, technical and process documentation, Cyber Security governance, interviews with stakeholders inside and outside your security and compliance function, and – optional – technical assessments and penetration testing of (parts of) your IT environment.


The assessment will be carried out by deep experts with a minimum of 15 years relevant experience in governance, operations, and relevant technologies in the Oil & Gas Industry. The optional technical assessments will consider the latest tactics, techniques and procedures used by your adversaries.  


The effort of the assessment depends on the depth of the review and the scope of your environments being assessed. Paper assessments (including interviews) can be conducted from an effort of 15 man-days. Assessments including technical work will require a minimum of 30 mandays.


The assessment will produce one or more reports depending on the scope. The reports will propose improvements based on priority. The service delivery will be concluded with a read-out of the reports to your stakeholders, and a joint evaluation of the delivery.


The scoping of the assessment will consider which lines of business to include, the number of documents to review, the number of stakeholders to interview, the number of systems to technically assess (including Industrial security if required), and the potential inclusion of third-party security reputation scores. Scoping is determined as part of the service intake process and is followed by a specific service proposal for agreement.


Send me an email

    Contact Hugo Cerutti

    Hugo Cerutti



    +316 46 14 05 13

    Do you have questions about how we can help your company?
    Send me an email and we will contact you.