Security terms, in plain language.

Business case (security)

A document presented to leadership or a funding committee that translates a security gap into financial and operational risk, proposes a remediation, and justifies the investment required. Effective security business cases connect control weaknesses to likely impact, not just compliance gaps.

Related: Risk treatment, Residual risk

CISO

Chief Information Security Officer. The senior executive responsible for an organisation's information and cyber security programme. In smaller NZ organisations, this role is often held by a Head of Security, IT Security Manager, or equivalent.

Control

A measure put in place to reduce a specific security risk. Controls can be technical (firewalls, encryption), procedural (access review processes), or administrative (security policies). Frameworks like MCSS and NZISM define required controls for covered organisations.

Related: Control effectiveness, MCSS, NZISM

Control effectiveness

A rating or score indicating how well a control is actually reducing the risk it's designed to address. A control can be 'in place' (documented or deployed) but low effectiveness (misconfigured, not enforced, or bypassed in practice). Speculo scores both presence and effectiveness.

Related: Control, Risk posture

Evidence management

The process of collecting, storing, and organising proof that a control is in place and working. Good evidence management means screenshots, logs, policy documents, and attestations are linked to specific controls and retrievable quickly during an audit.

Related: Control, Risk assessment

FMA

Financial Markets Authority. New Zealand's financial markets conduct regulator, responsible for overseeing financial advisers, fund managers, market services licensees, and listed securities. Under New Zealand's twin-peaks model, the FMA handles conduct regulation while the RBNZ handles prudential regulation of banks and insurers. The FMA has issued cyber security and operational resilience guidance, with increasing supervisory attention on cyber security controls and incident reporting.

Related: RBNZ, Risk posture

GRC

Governance, Risk, and Compliance. An umbrella term for the frameworks, processes, and tools organisations use to manage risk, meet regulatory obligations, and make accountable decisions. GRC platforms are designed to support assessments, track findings, and report status.

GCDO

Government Chief Digital Officer. The role within the New Zealand Department of Internal Affairs responsible for digital government strategy and policy. The GCDO sets digital and data standards across the public sector and its mandate covers public service departments and a defined set of Crown entities. The GCDO's mandate does not include the Minimum Cyber Security Standards (MCSS), which is a GCISO mandate.

Related: GCISO, GCSB

GCISO

Government Chief Information Security Officer. The role held by the Director-General of the GCSB, responsible for providing leadership on information security across the New Zealand government. The GCISO mandates the Minimum Cyber Security Standards (MCSS) for a defined set of agencies covered under the Protective Security Requirements (PSR) framework, and maintains authority over the New Zealand Information Security Manual (NZISM).

Related: MCSS, NZISM, GCSB

GCSB

Government Communications Security Bureau. New Zealand's national intelligence and security agency, responsible for information assurance and cyber security. The GCSB publishes the New Zealand Information Security Manual (NZISM) and operates the National Cyber Security Centre (NCSC).

Related: NZISM, NCSC

HISF

Health Information Security Framework. The New Zealand framework published by Health New Zealand (Te Whatu Ora) covering how health and disability sector organisations protect personally identifiable health information and clinical systems. HISF aligns with and references NZISM and ISO 27001, with additional health-specific obligations around system availability and the security of clinical data.

Related: NZISM, MCSS

Inherent risk

The level of risk that exists before any controls are applied. Inherent risk is determined by the likelihood and impact of a threat, independent of what the organisation has done to mitigate it. Comparing inherent risk to residual risk shows how much your controls are actually reducing exposure.

Related: Residual risk, Risk treatment

ISO 27001

An international standard for information security management systems (ISMS). ISO 27001 certification requires organisations to implement a set of controls, maintain documentation, and undergo external audits. It's often required by enterprise customers and some NZ government procurement processes.

Maturity model

A structured framework for measuring the sophistication and consistency of an organisation's security practices, typically on a scale from Initial (ad-hoc) through to Optimising (continuously improving). Maturity models let organisations see where they are today, define a target state, and prioritise improvements. Speculo uses maturity levels as one of two ways to assess controls, alongside an effectiveness rating.

Related: Control effectiveness, Risk assessment

MCSS

Minimum Cyber Security Standards. A set of baseline security requirements published by the National Cyber Security Centre (NCSC) and mandated by the Government Chief Information Security Officer (GCISO) for a defined set of GCISO-mandated agencies. The ten standards cover areas including risk management, patching, multi-factor authentication, and incident response. Covered agencies are required to assess and report their posture as part of the Protective Security Requirements (PSR) assurance process.

Related: NCSC, GCISO, NZISM, Risk posture

MFA

Multi-Factor Authentication. A security control requiring users to verify their identity through two or more independent methods before gaining access, typically a password combined with a time-based code or push notification. MFA is one of the most effective controls for reducing account compromise risk and is a baseline requirement in most NZ security frameworks.

Related: Control, NZISM

MSSP

Managed Security Service Provider. A third-party organisation that provides outsourced monitoring, management, and operation of security services on behalf of client organisations. MSSPs typically manage risk assessments, compliance programmes, and reporting across a portfolio of clients, and need tools that support multi-tenant access and client-level visibility.

Related: GRC

NCSC

National Cyber Security Centre. New Zealand's lead operational cyber security agency, operating within the GCSB. The NCSC administers the Minimum Cyber Security Standards (MCSS), which are mandated under the Government Chief Information Security Officer (GCISO). It also provides threat intelligence, incident response support, and security guidance to NZ organisations. CERT NZ's functions merged into the NCSC in July 2024.

Related: MCSS, GCSB, NZISM

NIST CSF

National Institute of Standards and Technology Cybersecurity Framework. A US-developed framework that organises security activities into six functions: Govern, Identify, Protect, Detect, Respond, and Recover (CSF 2.0, 2024). Widely adopted internationally and increasingly used by NZ organisations alongside local frameworks.

NZISM

New Zealand Information Security Manual. The primary information security standard for New Zealand government agencies, published by the GCSB and maintained by the NCSC in support of the GCISO. NZISM provides a baseline set of controls for government information and systems, with additional controls applied based on risk assessment and information classification. Crown entities, local government, and private sector organisations are also encouraged to adopt it.

Related: MCSS, HISF

PCI-DSS

Payment Card Industry Data Security Standard. A set of security requirements for organisations that store, process, or transmit payment card data. Developed by the PCI Security Standards Council and enforced by card brands and acquiring banks. Compliance is required for any NZ organisation handling card transactions, regardless of volume.

Related: ISO 27001, Risk assessment

Remediation

The work done to address a control gap or finding. A remediation might be a technical fix, a process change, a policy update, or a decision to accept the risk. Prioritising remediations correctly, based on exposure rather than urgency signals alone, is one of the hardest parts of managing a risk register.

Related: Risk register, Risk treatment

Residual risk

The risk that remains after controls have been applied. Even well-implemented controls don't eliminate risk entirely. Residual risk is what your organisation accepts when it decides its controls are adequate, or the gap it's trying to close when it requests funding.

Related: Inherent risk, Risk appetite, Risk treatment

Risk appetite

The amount and type of risk an organisation is willing to accept in pursuit of its objectives. Risk appetite statements are typically set by the board and communicated to security teams so they know what level of residual risk is acceptable without escalation.

Related: Residual risk

Risk assessment

A structured process for identifying threats, evaluating vulnerabilities, estimating likelihood and impact, and determining the level of risk. In Speculo, risk assessments are tied to specific control frameworks so findings are immediately reportable against MCSS, NZISM, or other standards.

Related: Control effectiveness, Risk register

Risk posture

The overall security position of an organisation at a point in time, reflecting which risks are well-controlled and which are exposed. A strong risk posture doesn't mean no risk; it means the organisation understands its exposure and has made deliberate decisions about it.

Related: Risk assessment, Control effectiveness

Risk register

A document or database that lists identified risks, their likelihood and impact scores, the controls in place, residual risk levels, and remediation status. In practice, many NZ organisations maintain risk registers in spreadsheets, which creates problems with version control, evidence linkage, and reporting.

Related: Remediation, Risk assessment

RBNZ

Reserve Bank of New Zealand. New Zealand's central bank and prudential regulator for banks, insurers, and non-bank deposit takers. The RBNZ has issued cyber resilience guidance and expects regulated entities to demonstrate mature cyber security governance, with assessments forming part of supervisory reviews.

Related: FMA, Risk posture

Risk treatment

A decision about how to handle a specific risk. The four standard risk treatment options are: mitigate (reduce the risk with controls), accept (acknowledge and tolerate the residual risk), transfer (shift exposure via insurance or contracts), or avoid (stop the activity that creates the risk).

Related: Residual risk, Risk register

SOC 2

Service Organization Control 2. An auditing standard developed by the American Institute of Certified Public Accountants (AICPA) covering how service organisations manage data to protect client interests. SOC 2 reports are commonly requested by enterprise and government customers when procuring SaaS or cloud services, and are often used as a proxy for security maturity during vendor assessments.

Related: ISO 27001, GRC