[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article:sg":3},{"meta":4,"markdown":79,"quiz":80},{"type":5,"articleId":6,"slug":7,"title":8,"titleEn":9,"category":10,"summary":11,"publishedAt":12,"image":13,"vocabulary":14,"quizId":78},"article","exam-sg","sg","情報セキュリティマネジメント試験 — 管理者向けセキュリティ","SG Exam — Security for Managers","exams","Overview of the Information Security Management Exam (SG \u002F 情報セキュリティマネジメント試験) — Japan's national qualification aimed at non-technical managers and business users responsible for information security in their organizations. Covers Subject A + Subject B CBT format, the CIA triad, key laws (Personal Information Protection Act, Unauthorized Access Prohibition Act), ISMS, risk assessment, and authentication\u002Fencryption\u002Fmalware basics.\n","2026-04-27T00:00:00Z","https:\u002F\u002Fimages.yamiyomi.com\u002Fexam-sg.png",[15,20,24,28,32,36,40,44,49,53,57,61,65,70,74],{"word":16,"reading":17,"meaning":18,"level":19},"機密性","きみつせい","confidentiality","N1",{"word":21,"reading":22,"meaning":23,"level":19},"完全性","かんぜんせい","integrity",{"word":25,"reading":26,"meaning":27,"level":19},"可用性","かようせい","availability",{"word":29,"reading":30,"meaning":31,"level":19},"認証","にんしょう","authentication",{"word":33,"reading":34,"meaning":35,"level":19},"暗号","あんごう","cryptography",{"word":37,"reading":38,"meaning":39,"level":19},"脅威","きょうい","threat",{"word":41,"reading":42,"meaning":43,"level":19},"脆弱性","ぜいじゃくせい","vulnerability",{"word":45,"reading":46,"meaning":47,"level":48},"資産","しさん","asset","N2",{"word":50,"reading":51,"meaning":52,"level":48},"評価","ひょうか","evaluation",{"word":54,"reading":55,"meaning":56,"level":48},"対策","たいさく","countermeasure",{"word":58,"reading":59,"meaning":60,"level":48},"不正","ふせい","unauthorized",{"word":62,"reading":63,"meaning":64,"level":19},"漏えい","ろうえい","leakage",{"word":66,"reading":67,"meaning":68,"level":69},"管理","かんり","management","N3",{"word":71,"reading":72,"meaning":73,"level":69},"教育","きょういく","education",{"word":75,"reading":76,"meaning":77,"level":48},"監査","かんさ","audit","exam-sg-quiz","\n::heading\n[情報]{じょうほう:information:N3}セキュリティマネジメント[試験]{しけん:exam:N4}とは\n\n#en\nWhat is the SG Exam?\n::\n\n::para\n[情報]{じょうほう:information:N3}セキュリティマネジメント[試験]{しけん:exam:N4}（[略称]{りゃくしょう:abbreviation:N1}「SG」）は、[経済産業省]{けいざいさんぎょうしょう:METI:N2}[認定]{にんてい:certified:N3}・IPA[実施]{じっし:administered:N1}の[国家試験]{こっかしけん:national exam:N4}で、[情報処理]{じょうほうしょり:information processing:N3}[技術者]{ぎじゅつしゃ:engineer:N2}[試験]{しけん:exam:N4}「レベル2」に[相当]{そうとう:corresponds to:N3}する。FEと[同]{おな:same:N4}じレベルだが、[対象者]{たいしょうしゃ:target audience:N2}が[異なる]{ことなる:differs:N1}：FEがエンジニア[志望]{しぼう:aspiring:N1}[向け]{むけ:targeted:N3}であるのに[対し]{たいし:whereas:N3}、SGは[非]{ひ:non-:N3}エンジニアの[管理職]{かんりしょく:managers:N2}・[業務]{ぎょうむ:business:N3}[担当者]{たんとうしゃ:operators:N2}（[一般]{いっぱん:general:N2}[利用者]{りようしゃ:users:N3}や[部門]{ぶもん:department:N2}[管理者]{かんりしゃ:managers:N2}）が[情報]{じょうほう:information:N3}セキュリティを[管理]{かんり:manage:N2}する[立場]{たちば:position:N4}で[必要]{ひつよう:needed:N3}な[知識]{ちしき:knowledge:N3}を[問う]{とう:asks:N4}。\n\n#en\nThe Information Security Management Exam (SG) is a METI-certified, IPA-administered national exam at \"Level 2\" of the Information Processing Engineer Examinations. It is the same level as FE but targets a different audience: while FE targets aspiring engineers, SG asks for the knowledge needed by non-technical managers and business operators (general users and departmental managers) when they manage information security from their position.\n::\n\n::callout\n[試験]{しけん:exam:N4}のポイント：SGは2016[年]{ねん:year:N5}に[新設]{しんせつ:newly created:N2}された[比較的]{ひかくてき:relatively:N1}[新しい]{あたらしい:new:N4}[試験]{しけん:exam:N4}で、[標的型]{ひょうてきがた:targeted:N1}[攻撃]{こうげき:attacks:N1}・[内部]{ないぶ:internal:N3}[不正]{ふせい:fraud:N4}・クラウド[利用]{りよう:use:N3}・テレワークなど、[現代]{げんだい:modern:N3}の[企業]{きぎょう:enterprise:N1}が[直面]{ちょくめん:face:N3}するセキュリティ[課題]{かだい:challenges:N2}に[即した]{そくした:aligned with:N1}[内容]{ないよう:content:N3}が[特徴]{とくちょう:characteristic:N1}。2023[年]{ねん:year:N5}4[月]{がつ:month:N5}よりCBT[方式]{ほうしき:method:N3}で[通年]{つうねん:year-round:N4}[受験]{じゅけん:taking:N3}が[可能]{かのう:possible:N3}。\n\n#en\nExam Tip: SG is a relatively new exam, established in 2016, characterized by content aligned with security challenges modern enterprises face — targeted attacks, internal fraud, cloud use, telework. Since April 2023, it is CBT and available year-round.\n::\n\n::heading\n[試験]{しけん:exam:N4}[形式]{けいしき:format:N3}と[科目]{かもく:subject:N3}[構成]{こうせい:structure:N3}\n\n#en\nExam Format and Subject Structure\n::\n\n::para\nSGはFEと[同様]{どうよう:same as:N3}に[科目]{かもく:subject:N3}A・[科目]{かもく:subject:N3}Bの2[部]{ぶ:parts:N3}[構成]{こうせい:structure:N3}である。[科目]{かもく:subject:N3}Aは[四肢]{しし:four-choice:N1}[択一式]{たくいつしき:multiple choice:N1}で[全]{ぜん:total:N3}48[問]{もん:questions:N4}、[試験]{しけん:exam:N4}[時間]{じかん:time:N5}60[分]{ふん:minutes:N5}。[出題範囲]{しゅつだいはんい:scope:N1}は[情報]{じょうほう:information:N3}セキュリティの[基本]{きほん:basics:N1}・[管理]{かんり:management:N2}・[技術]{ぎじゅつ:technology:N2}・[関連]{かんれん:related:N3}[法令]{ほうれい:laws:N2}が[中心]{ちゅうしん:center:N4}で、[一部]{いちぶ:partially:N3}テクノロジ[系]{けい:domain:N1}の[基礎]{きそ:basics:N1}（[ネットワーク]{ねっとわーく:network}・[データベース]{でーたべーす:database}）も[出題]{しゅつだい:asked:N4}される。[科目]{かもく:subject:N3}Bは[長文]{ちょうぶん:long-form:N4}[読解]{どっかい:reading comprehension:N3}[式]{しき:format:N3}で[全]{ぜん:total:N3}12[問]{もん:questions:N4}、[試験]{しけん:exam:N4}[時間]{じかん:time:N5}90[分]{ふん:minutes:N5}。[実務]{じつむ:practical:N3}シナリオ（インシデント[対応]{たいおう:response:N1}・[内部]{ないぶ:internal:N3}[不正]{ふせい:fraud:N4}・サプライチェーン[攻撃]{こうげき:attack:N1}など）に[基づいた]{もとづいた:based on:N1}[事例]{じれい:case:N3}[問題]{もんだい:problems:N4}が[出題]{しゅつだい:asked:N4}される。\n\n#en\nSG, like FE, consists of Subject A and Subject B. Subject A is four-choice multiple choice with 48 questions in 60 minutes. The scope centers on information security basics, management, technology, and related laws, with some basic Technology-domain content (network, database) also asked. Subject B is long-form reading comprehension with 12 questions in 90 minutes. Case problems based on practical scenarios (incident response, internal fraud, supply chain attacks) are asked.\n::\n\n::para\n[合格基準]{ごうかくきじゅん:passing criteria:N1}は[科目]{かもく:subject:N3}A・[科目]{かもく:subject:N3}Bそれぞれ600[点]{てん:points:N3}\u002F1000[点]{てん:points:N3}[以上]{いじょう::N4}。[受験料]{じゅけんりょう:exam fee:N3}は[税込]{ぜいこみ:tax included:N2}7,500[円]{えん:yen:N5}。[合格率]{ごうかくりつ:pass rate:N1}は[公表]{こうひょう:public:N3}データで[約]{やく:approximately:N3}50%[前後]{ぜんご:around:N5}と、[国家]{こっか:national:N4}[資格]{しかく:qualification:N3}としては[比較的]{ひかくてき:relatively:N1}[高い]{たかい:high:N5}[合格率]{ごうかくりつ:pass rate:N1}を[維持]{いじ:maintains:N1}している。これは「[管理職]{かんりしょく:managers:N2}・[業務]{ぎょうむ:business:N3}[担当者]{たんとうしゃ:operators:N2}が[挑戦]{ちょうせん:challenge:N1}しやすい[難易度]{なんいど:difficulty level:N3}」を[意識的]{いしきてき:consciously:N3}に[設計]{せっけい:designed:N2}した[結果]{けっか:result:N1}である。\n\n#en\nThe passing criteria require 600\u002F1000 or higher on each of Subject A and Subject B. The fee is 7,500 yen including tax. The published pass rate is about 50%, relatively high for a national qualification. This results from consciously designing for \"a difficulty level easy for managers and business operators to challenge.\"\n::\n\n::heading\n[出題範囲]{しゅつだいはんい:scope:N1}：4つの[領域]{りょういき:areas:N2}\n\n#en\nScope: The Four Areas\n::\n\n::para\nSGの[出題範囲]{しゅつだいはんい:scope:N1}は[大]{おお:major:N5}きく4つに[分けられる]{わけられる:divided:N5}。[第]{だい:area:N1}1の「[情報]{じょうほう:information:N3}セキュリティの[基本]{きほん:basics:N1}」では、CIA[三要素]{さんようそ:three elements:N1}（[機密性]{きみつせい:Confidentiality:N1}・[完全性]{かんぜんせい:Integrity:N3}・[可用性]{かようせい:Availability:N3}）、[真正性]{しんせいせい:authenticity:N3}・[責任]{せきにん:accountability:N3}・[否認]{ひにん:non-repudiation:N3}[防止]{ぼうし:prevention:N2}・[信頼性]{しんらいせい:reliability:N3}を[加えた]{くわえた:added:N3}7[要素]{ようそ:elements:N1}、[脅威]{きょうい:threats:N1}（[人為的]{じんいてき:human-caused:N1}・[自然的]{しぜんてき:natural:N3}）と[脆弱性]{ぜいじゃくせい:vulnerabilities:N1}の[関係]{かんけい:relationship:N3}、[情報]{じょうほう:information:N3}[資産]{しさん:assets:N3}と[リスク]{りすく:risk}の[関係]{かんけい:relationship:N3}を[扱う]{あつかう:covers:N1}。\n\n#en\nSG's scope is divided into four major areas. Area 1, \"Information Security Basics,\" covers the CIA triad (Confidentiality, Integrity, Availability), the seven elements adding authenticity, accountability, non-repudiation, and reliability, the relationship between threats (human-caused\u002Fnatural) and vulnerabilities, and the relationship between information assets and risk.\n::\n\n::para\n[第]{だい:area:N1}2の「[関連]{かんれん:related:N3}[法令]{ほうれい:laws:N2}」では、[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}[保護]{ほご:protection:N1}[法]{ほう:law:N3}（2022[年]{ねん:year:N5}[改正]{かいせい:amendment:N2}・[漏えい]{ろうえい:leakage:N1}[報告]{ほうこく:report:N3}[義務化]{ぎむか:mandatory:N1}）、[不正]{ふせい:unauthorized:N4}[アクセス]{あくせす:access}[禁止]{きんし:prohibition:N2}[法]{ほう:law:N3}（ID\u002F[パスワード]{ぱすわーど:password}の[盗用]{とうよう:theft:N3}・[助長]{じょちょう:abetting:N3}[行為]{こうい:act:N1}）、[不正]{ふせい:unfair:N4}[競争]{きょうそう:competition:N2}[防止]{ぼうし:prevention:N2}[法]{ほう:law:N3}（[営業]{えいぎょう:trade:N2}[秘密]{ひみつ:secret:N1}の3[要件]{ようけん:requirements:N3}）、[著作権]{ちょさくけん:copyright:N2}[法]{ほう:law:N3}、サイバーセキュリティ[基本]{きほん:basic:N1}[法]{ほう:law:N3}など[企業]{きぎょう:enterprise:N1}が[遵守]{じゅんしゅ:compliance:N1}すべき[法令]{ほうれい:laws:N2}を[理解]{りかい:understand:N3}する。「[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}」「[要]{よう:requiring:N3}[配慮]{はいりょ:special care:N1}[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}」「[匿名]{とくめい:anonymous:N1}[加工]{かこう:processing:N3}[情報]{じょうほう:information:N3}」の[定義]{ていぎ:definitions:N1}は[頻出]{ひんしゅつ:frequent:N1}。\n\n#en\nArea 2, \"Related Laws,\" covers laws enterprises must comply with: Personal Information Protection Act (2022 amendment, mandatory leakage reporting), Unauthorized Access Prohibition Act (theft of IDs\u002Fpasswords and abetting acts), Unfair Competition Prevention Act (the three trade-secret requirements), Copyright Act, Basic Cybersecurity Act, etc. Definitions of \"personal information,\" \"special care-required personal information,\" and \"anonymously processed information\" are frequently asked.\n::\n\n::callout\n[法令]{ほうれい:laws:N2}のポイント：[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}[保護]{ほご:protection:N1}[法]{ほう:law:N3}の[漏えい]{ろうえい:leakage:N1}[報告]{ほうこく:reporting:N3}[義務]{ぎむ:obligation:N1}（1,000[件]{けん:cases:N3}[超]{ちょう:exceeding:N2}・[要]{よう:requiring:N3}[配慮]{はいりょ:special care:N1}[情報]{じょうほう:information:N3}・[財産]{ざいさん:financial:N3}[損害]{そんがい:damage:N2}・[不正]{ふせい:improper:N4}[目的]{もくてき:purpose:N4}の4[要件]{ようけん:requirements:N3}）と、[不正]{ふせい:unauthorized:N4}[アクセス]{あくせす:access}[禁止]{きんし:prohibition:N2}[法]{ほう:law:N3}の「[助長]{じょちょう:abetting:N3}[行為]{こうい:act:N1}」（[他人]{たにん:another's:N3}のID\u002F[パスワード]{ぱすわーど:password}の[提供]{ていきょう:disclosure:N1}）の[禁止]{きんし:prohibition:N2}は[必須]{ひっす:required:N1}[暗記]{あんき:memorization:N3}[項目]{こうもく:items:N1}。\n\n#en\nLaw Tip: The Personal Information Protection Act's mandatory leakage reporting (the 4 requirements: exceeding 1,000 cases, special-care information, financial damage, improper purpose) and the Unauthorized Access Prohibition Act's \"abetting act\" (disclosing another's ID\u002Fpassword) are required memorization items.\n::\n\n::heading\n[第]{だい:area:N1}3の[領域]{りょういき:area:N2}：[情報]{じょうほう:information:N3}セキュリティ[管理]{かんり:management:N2}（ISMS・[リスク]{りすく:risk}[評価]{ひょうか:assessment:N1}）\n\n#en\nArea 3: Information Security Management (ISMS, Risk Assessment)\n::\n\n::para\n[情報]{じょうほう:information:N3}セキュリティマネジメント[システム]{しすてむ:system}（ISMS、ISO\u002FIEC 27001[準拠]{じゅんきょ:compliant:N1}）の[全体像]{ぜんたいぞう:overall picture:N2}を[理解]{りかい:understand:N3}する。[情報]{じょうほう:information:N3}セキュリティ[方針]{ほうしん:policy:N2}、[資産]{しさん:asset:N3}[管理]{かんり:management:N2}、[アクセス]{あくせす:access}[制御]{せいぎょ:control:N3}、[物理的]{ぶつりてき:physical:N4}・[環境的]{かんきょうてき:environmental:N1}セキュリティ、[インシデント]{いんしでんと:incident}[管理]{かんり:management:N2}、[事業]{じぎょう:business:N4}[継続]{けいぞく:continuity:N1}[管理]{かんり:management:N2}（BCP\u002FBCM）など[管理策]{かんりさく:control measures:N1}の[体系]{たいけい:framework:N1}を[把握]{はあく:grasp:N1}する。PDCAサイクル（Plan-Do-Check-Act）による[継続]{けいぞく:continuous:N1}[改善]{かいぜん:improvement:N1}も[頻出]{ひんしゅつ:frequent:N1}。\n\n#en\nUnderstand the overall picture of the Information Security Management System (ISMS, ISO\u002FIEC 27001 compliant). Grasp the framework of control measures: information security policy, asset management, access control, physical\u002Fenvironmental security, incident management, business continuity management (BCP\u002FBCM). Continuous improvement via the PDCA cycle (Plan-Do-Check-Act) is also frequent.\n::\n\n::para\n[リスク]{りすく:risk}[評価]{ひょうか:assessment:N1}の[手順]{てじゅん:procedure:N2}は[次]{つぎ:next:N3}の[通り]{とおり:as follows:N4}。（1）[資産]{しさん:asset:N3}[特定]{とくてい:identify:N3}：[守る]{まもる:protect:N3}べき[情報]{じょうほう:information:N3}[資産]{しさん:assets:N3}を[洗い出す]{あらいだす:list out:N3}。（2）[脅威]{きょうい:threat:N1}・[脆弱性]{ぜいじゃくせい:vulnerability:N1}[特定]{とくてい:identify:N3}：[各]{かく:each:N2}[資産]{しさん:asset:N3}に[対する]{たいする:against:N3}[脅威]{きょうい:threats:N1}（[マルウェア]{まるうぇあ:malware}・[内部]{ないぶ:insider:N3}[不正]{ふせい:fraud:N4}・[自然]{しぜん:natural:N3}[災害]{さいがい:disasters:N1}）と[脆弱性]{ぜいじゃくせい:vulnerabilities:N1}（[未]{み:un-:N3}パッチ・[弱い]{よわい:weak:N2}[認証]{にんしょう:authentication:N1}）を[列挙]{れっきょ:list:N1}。（3）[リスク]{りすく:risk}[分析]{ぶんせき:analyze:N1}：[発生]{はっせい:occurrence:N4}[頻度]{ひんど:frequency:N1}と[影響]{えいきょう:impact:N1}[度]{ど:degree:N4}から[リスク]{りすく:risk}[値]{ち:value:N3}を[算出]{さんしゅつ:calculate:N2}。（4）[リスク]{りすく:risk}[評価]{ひょうか:evaluate:N1}：[許容]{きょよう:acceptable:N3}できる[リスク]{りすく:risk}か[判断]{はんだん:judge:N3}。（5）[リスク]{りすく:risk}[対応]{たいおう:response:N1}：[低減]{ていげん:reduce:N2}・[回避]{かいひ:avoid:N1}・[移転]{いてん:transfer:N2}（[保険]{ほけん:insurance:N1}）・[受容]{じゅよう:accept:N3}の4つの[選択肢]{せんたくし:options:N1}から[選ぶ]{えらぶ:choose:N3}。\n\n#en\nThe risk assessment procedure is: (1) Asset identification: list out information assets to protect. (2) Threat\u002Fvulnerability identification: enumerate threats (malware, insider fraud, natural disasters) and vulnerabilities (unpatched, weak authentication) for each asset. (3) Risk analysis: calculate risk value from occurrence frequency and impact degree. (4) Risk evaluation: judge whether the risk is acceptable. (5) Risk response: choose from four options — reduce, avoid, transfer (insurance), or accept.\n::\n\n::heading\n[第]{だい:area:N1}4の[領域]{りょういき:area:N2}：[技術要素]{ぎじゅつようそ:technology elements:N1}（[認証]{にんしょう:authentication:N1}・[暗号]{あんごう:cryptography:N3}・[マルウェア]{まるうぇあ:malware}[対策]{たいさく:countermeasures:N1}）\n\n#en\nArea 4: Technology Elements (Authentication, Cryptography, Malware Countermeasures)\n::\n\n::para\nSGはマネジメント[寄り]{より:oriented:N3}の[試験]{しけん:exam:N4}だが、[基本]{きほん:basic:N1}[技術]{ぎじゅつ:technology:N2}も[出題]{しゅつだい:asked:N4}される。[認証]{にんしょう:Authentication:N1}では[多要素]{たようそ:multi-factor:N1}[認証]{にんしょう:authentication:N1}（MFA・2FA）、[生体]{せいたい:biometric:N4}[認証]{にんしょう:authentication:N1}、シングルサインオン（SSO）、[公開]{こうかい:public:N4}[鍵]{かぎ:key:N1}[基盤]{きばん:infrastructure:N1}（PKI）と[電子]{でんし:digital:N5}[証明書]{しょうめいしょ:certificate:N1}。[暗号]{あんごう:Cryptography:N3}では[共通]{きょうつう:symmetric:N3}[鍵]{かぎ:key:N1}（AES）と[公開]{こうかい:public:N4}[鍵]{かぎ:key:N1}（RSA・[楕円]{だえん:elliptic:N1}[曲線]{きょくせん:curve:N2}）、[ハッシュ]{はっしゅ:hash}（SHA-256）、[電子]{でんし:digital:N5}[署名]{しょめい:signature:N2}の[仕組み]{しくみ:mechanism:N3}を[理解]{りかい:understand:N3}。[マルウェア]{まるうぇあ:malware}[対策]{たいさく:countermeasures:N1}では[ウイルス]{ういるす:virus}・[ワーム]{わーむ:worm}・[トロイの木馬]{とろいのもくば:Trojan horse:N3}・[ランサムウェア]{らんさむうぇあ:ransomware}・スパイウェアの[特徴]{とくちょう:characteristics:N1}を[区別]{くべつ:distinguish:N2}し、[各種]{かくしゅ:various:N2}[対策]{たいさく:countermeasures:N1}（パターン[マッチング]{まっちんぐ:matching}・[振る舞い]{ふるまい:behavior:N1}[検知]{けんち:detection:N1}・サンドボックス）を[把握]{はあく:grasp:N1}する。\n\n#en\nSG is a management-oriented exam, but basic technology is also asked. In Authentication: multi-factor authentication (MFA\u002F2FA), biometric authentication, single sign-on (SSO), public-key infrastructure (PKI), and digital certificates. In Cryptography: understand symmetric-key (AES), public-key (RSA, elliptic curve), hash (SHA-256), and digital signature mechanisms. In Malware Countermeasures: distinguish characteristics of viruses, worms, Trojan horses, ransomware, and spyware, and grasp various countermeasures (pattern matching, behavioral detection, sandboxing).\n::\n\n::callout\n[学習]{がくしゅう:study:N4}のコツ：SGの[科目]{かもく:subject:N3}Bは[長文]{ちょうぶん:long-form:N4}シナリオから「[誰]{だれ:who:N3}が・[何]{なに:what:N5}を・[なぜ]{なぜ:why}・[どうすべきか]{どうすべきか:what should be done}」を[読み解く]{よみとく:read and interpret:N3}[国語]{こくご:Japanese language:N5}[力]{りょく:ability:N4}が[問われる]{とわれる:asked:N4}。[攻撃]{こうげき:attack:N1}の[流れ]{ながれ:flow:N3}（[偵察]{ていさつ:reconnaissance:N1}→[侵入]{しんにゅう:intrusion:N1}→[権限]{けんげん:privilege:N3}[昇格]{しょうかく:escalation:N2}→[内部]{ないぶ:internal:N3}[活動]{かつどう:activity:N3}→[目的]{もくてき:purpose:N4}[達成]{たっせい:achievement:N3}）と[組織]{そしき:organizational:N1}[対応]{たいおう:response:N1}（[検知]{けんち:detection:N1}→[初動]{しょどう:initial response:N3}→[封じ込め]{ふうじこめ:containment:N2}→[復旧]{ふっきゅう:recovery:N2}→[再発]{さいはつ:recurrence:N2}[防止]{ぼうし:prevention:N2}）を[時系列]{じけいれつ:timeline:N1}で[整理]{せいり:organize:N1}しておく。\n\n#en\nStudy Tip: SG Subject B asks Japanese reading ability to interpret \"who, what, why, and what should be done\" from long-form scenarios. Organize the attack flow (reconnaissance → intrusion → privilege escalation → internal activity → goal achievement) and organizational response (detection → initial response → containment → recovery → recurrence prevention) chronologically.\n::\n\n::heading\n[学習]{がくしゅう:study:N4}リソース・[次]{つぎ:next:N3}のステップ\n\n#en\nStudy Resources and Next Steps\n::\n\n::para\n[標準]{ひょうじゅん:standard:N1}[学習]{がくしゅう:study:N4}[時間]{じかん:hours:N5}は[初学者]{しょがくしゃ:beginners:N3}で[約]{やく:approximately:N3}100〜200[時間]{じかん:hours:N5}。「[情報]{じょうほう:information:N3}セキュリティマネジメント[試験]{しけん:exam:N4}[過去問]{かこもん:past questions:N3}[道場]{どうじょう:dojo:N4}」「[公式]{こうしき:official:N3}[教科書]{きょうかしょ:textbook:N3}」「[市販]{しはん:commercial:N2}テキスト」が[標準]{ひょうじゅん:standard:N1}リソース。SG[合格]{ごうかく:pass:N3}[後]{ご:after:N5}は、[管理職]{かんりしょく:managerial:N2}[志向]{しこう:oriented:N1}であればAP（[午後]{ごご:afternoon:N5}でセキュリティ＋[サービスマネジメント]{さーびすまねじめんと:service management}＋[システム監査]{しすてむかんさ:system audit:N1}を[選択]{せんたく:select:N1}）、[技術]{ぎじゅつ:technical:N2}[志向]{しこう:oriented:N1}であればFE→[情報処理]{じょうほうしょり:information processing:N3}[安全]{あんぜん:safety:N3}[確保]{かくほ:assurance:N1}[支援士]{しえんし:support specialist:N1}（SC、レベル4）が[次]{つぎ:next:N3}の[目標]{もくひょう:target:N1}となる。\n\n#en\nStandard study hours are about 100–200 for beginners. The \"SG Past Question Dojo,\" official textbooks, and commercial texts are standard resources. After passing SG, those with managerial orientation can target AP (selecting security + service management + system audit in the afternoon); those with technical orientation should target FE → Registered Information Security Specialist (SC, Level 4).\n::\n",{"id":78,"title":81,"titleEn":82,"topicPath":10,"questions":83},"情報セキュリティマネジメント試験 — サンプル問題","SG Exam — Sample Questions",[84,111,134,157,180,203],{"id":85,"articleId":6,"question":86,"options":89,"correctLabel":95,"explanation":106,"tags":109},"exam-sg-quiz-q01",{"en":87,"jp":88},"Of the CIA triad of information security, which guarantees that data has not been tampered with?","[情報]{じょうほう:information}セキュリティの3[要素]{ようそ:elements}（CIA）のうち、「データが[改ざん]{かいざん:tampered with}されていないこと」を[保証]{ほしょう:guarantee}するのはどれか。",[90,94,98,102],{"label":91,"jp":92,"en":93},"ア","[機密性]{きみつせい:Confidentiality}","Confidentiality",{"label":95,"jp":96,"en":97},"イ","[完全性]{かんぜんせい:Integrity}","Integrity",{"label":99,"jp":100,"en":101},"ウ","[可用性]{かようせい:Availability}","Availability",{"label":103,"jp":104,"en":105},"エ","[真正性]{しんせいせい:Authenticity}","Authenticity",{"en":107,"jp":108},"Integrity maintains information in an accurate, untampered state. Confidentiality means only authorized persons access, and Availability means access is possible when needed.","[完全性]{かんぜんせい:Integrity}（Integrity）は[情報]{じょうほう:information}が[正確]{せいかく:accurate}で[改ざん]{かいざん:tampering}されていない[状態]{じょうたい:state}を[維持]{いじ:maintain}すること。[機密性]{きみつせい:Confidentiality}は[許可]{きょか:authorized}された[人]{ひと:people}のみがアクセス、[可用性]{かようせい:Availability}は[必要]{ひつよう:needed}な[時]{とき:when}にアクセスできる[状態]{じょうたい:state}。",[110],"情報セキュリティ基本",{"id":112,"articleId":6,"question":113,"options":116,"correctLabel":103,"explanation":129,"tags":132},"exam-sg-quiz-q02",{"en":114,"jp":115},"Which is NOT 'special care-required personal information' under the Personal Information Protection Act (2022 amendment)?","[個人]{こじん:personal}[情報]{じょうほう:information}[保護]{ほご:protection}[法]{ほう:law}（2022[年]{ねん:year}[改正]{かいせい:amendment}）における「[要]{よう:requiring}[配慮]{はいりょ:special care}[個人]{こじん:personal}[情報]{じょうほう:information}」に[該当]{がいとう:applicable}しないものはどれか。",[117,120,123,126],{"label":91,"jp":118,"en":119},"[病歴]{びょうれき:medical history}","Medical history",{"label":95,"jp":121,"en":122},"[犯罪]{はんざい:criminal}[歴]{れき:record}","Criminal record",{"label":99,"jp":124,"en":125},"[人種]{じんしゅ:race}","Race",{"label":103,"jp":127,"en":128},"[氏名]{しめい:name}","Name",{"en":130,"jp":131},"Special care-required personal information requires especially careful handling, with acquisition in principle prohibited without consent. Race, creed, medical history, and criminal record qualify; a name is general personal information.","[要]{よう:requiring}[配慮]{はいりょ:special care}[個人]{こじん:personal}[情報]{じょうほう:information}は[本人]{ほんにん:the person}の[同意]{どうい:consent}なしの[取得]{しゅとく:acquisition}が[原則]{げんそく:principle}[禁止]{きんし:prohibited}される[特に]{とくに:especially}[慎重]{しんちょう:careful}な[取扱い]{とりあつかい:handling}を[要する]{ようする:required}[情報]{じょうほう:information}。[人種]{じんしゅ:race}・[信条]{しんじょう:creed}・[病歴]{びょうれき:medical history}・[犯罪]{はんざい:criminal}[歴]{れき:record}などが[該当]{がいとう:applicable}するが、[氏名]{しめい:name}は[一般]{いっぱん:general}の[個人]{こじん:personal}[情報]{じょうほう:information}。",[133],"個人情報保護法",{"id":135,"articleId":6,"question":136,"options":139,"correctLabel":99,"explanation":152,"tags":155},"exam-sg-quiz-q03",{"en":137,"jp":138},"Of the four risk-response options, which corresponds to 'enrolling in insurance to be able to compensate for damage'?","[リスク]{りすく:risk}[対応]{たいおう:response}の4[つの]{つの:four}[選択肢]{せんたくし:options}のうち、「[保険]{ほけん:insurance}に[加入]{かにゅう:enroll}して[損害]{そんがい:damage}を[補填]{ほてん:compensate}できるようにする」ことに[該当]{がいとう:applicable}するのはどれか。",[140,143,146,149],{"label":91,"jp":141,"en":142},"[リスク]{りすく:risk}[低減]{ていげん:reduction}","Risk reduction",{"label":95,"jp":144,"en":145},"[リスク]{りすく:risk}[回避]{かいひ:avoidance}","Risk avoidance",{"label":99,"jp":147,"en":148},"[リスク]{りすく:risk}[移転]{いてん:transfer}","Risk transfer",{"label":103,"jp":150,"en":151},"[リスク]{りすく:risk}[受容]{じゅよう:acceptance}","Risk acceptance",{"en":153,"jp":154},"Risk transfer shifts risk to a third party (insurance company, external vendor). Reduction implements countermeasures, avoidance stops the activity, and acceptance accepts it as is.","[リスク]{りすく:risk}[移転]{いてん:transfer}は[第三者]{だいさんしゃ:third party}（[保険]{ほけん:insurance}[会社]{がいしゃ:company}・[外部]{がいぶ:external}[業者]{ぎょうしゃ:vendor}）に[リスク]{りすく:risk}を[転嫁]{てんか:shift}する[方法]{ほうほう:method}。[低減]{ていげん:reduction}は[対策]{たいさく:countermeasures}を[講じる]{こうじる:implement}、[回避]{かいひ:avoidance}は[活動]{かつどう:activity}を[やめる]{やめる:stop}、[受容]{じゅよう:acceptance}はそのまま[受け入れる]{うけいれる:accept}。",[156],"リスクマネジメント",{"id":158,"articleId":6,"question":159,"options":162,"correctLabel":95,"explanation":175,"tags":178},"exam-sg-quiz-q04",{"en":160,"jp":161},"An employee provided to a third party an ID\u002Fpassword of another that they learned through work. Which law does this violate?","[従業員]{じゅうぎょういん:employee}が[業務上]{ぎょうむじょう:work-related}[知り得た]{しりえた:learned}[他人]{たにん:another's}のID\u002F[パスワード]{ぱすわーど:password}を[第三者]{だいさんしゃ:third party}に[提供]{ていきょう:provide}した。これは[何法]{なにほう:which law}に[違反]{いはん:violates}するか。",[163,166,169,172],{"label":91,"jp":164,"en":165},"[個人]{こじん:personal}[情報]{じょうほう:information}[保護]{ほご:protection}[法]{ほう:law}","Personal Information Protection Act",{"label":95,"jp":167,"en":168},"[不正]{ふせい:unauthorized}アクセス[禁止]{きんし:prohibition}[法]{ほう:law}","Unauthorized Access Prohibition Act",{"label":99,"jp":170,"en":171},"[著作権]{ちょさくけん:copyright}[法]{ほう:law}","Copyright Act",{"label":103,"jp":173,"en":174},"[特定]{とくてい:specified}[電子]{でんし:electronic}メール[法]{ほう:law}","Specified Electronic Mail Act",{"en":176,"jp":177},"The Unauthorized Access Prohibition Act prohibits providing another's ID\u002Fpassword to a third party without the person's consent as an 'abetting act' (Article 5).","[不正]{ふせい:unauthorized}アクセス[禁止]{きんし:prohibition}[法]{ほう:law}では、[他人]{たにん:another's}のID\u002F[パスワード]{ぱすわーど:password}を[本人]{ほんにん:the person}の[承諾]{しょうだく:consent}なく[第三者]{だいさんしゃ:third party}に[提供]{ていきょう:provide}する[行為]{こうい:act}は「[助長]{じょちょう:abetting}[行為]{こうい:act}」として[禁止]{きんし:prohibited}される（[第]{だい:article}5[条]{じょう:article}）。",[179],"関連法令",{"id":181,"articleId":6,"question":182,"options":185,"correctLabel":91,"explanation":198,"tags":201},"exam-sg-quiz-q05",{"en":183,"jp":184},"Immediately after an employee mistakenly opens a targeted attack email and executes the attached file, which initial response is most appropriate?","[標的型]{ひょうてきがた:targeted}[攻撃]{こうげき:attack}メールを[従業員]{じゅうぎょういん:employee}が[誤って]{あやまって:mistakenly}[開封]{かいふう:open}し、[添付]{てんぷ:attached}ファイルを[実行]{じっこう:execute}してしまった[直後]{ちょくご:immediately after}にすべき[初動]{しょどう:initial}[対応]{たいおう:response}として[最]{もっと:most}も[適切]{てきせつ:appropriate}なものはどれか。",[186,189,192,195],{"label":91,"jp":187,"en":188},"[端末]{たんまつ:device}を[直ちに]{ただちに:immediately}ネットワークから[切り離し]{きりはなし:disconnect}、[情報]{じょうほう:information}セキュリティ[管理者]{かんりしゃ:administrator}に[連絡]{れんらく:contact}する","Immediately disconnect the device from the network and contact the information security administrator",{"label":95,"jp":190,"en":191},"[端末]{たんまつ:device}の[電源]{でんげん:power}を[切らず]{きらず:without turning off}にしばらく[様子]{ようす:behavior}を[見る]{みる:observe}","Leave the device powered on and observe for a while",{"label":99,"jp":193,"en":194},"[同僚]{どうりょう:colleagues}にも[同じ]{おなじ:same}メールが[届いて]{とどいて:arrived}いないか[全社]{ぜんしゃ:company-wide}に[転送]{てんそう:forward}する","Forward the email company-wide to check whether colleagues received it too",{"label":103,"jp":196,"en":197},"[何]{なに:nothing}もせず[業務]{ぎょうむ:work}を[続ける]{つづける:continue}","Continue working without doing anything",{"en":199,"jp":200},"If malware infection is suspected, the principle of initial response is to immediately isolate from the network to prevent spread and report to CSIRT\u002Fthe information security administrator. Modern forensic procedures do not recommend turning off power because volatile evidence would be lost.","[マルウェア]{まるうぇあ:malware}[感染]{かんせん:infection}が[疑われる]{うたがわれる:suspected}[場合]{ばあい:case}は[感染]{かんせん:infection}[拡大]{かくだい:spread}を[防ぐ]{ふせぐ:prevent}ため、[直ちに]{ただちに:immediately}ネットワークから[隔離]{かくり:isolate}し、CSIRT\u002F[情報]{じょうほう:information}セキュリティ[管理者]{かんりしゃ:administrator}に[報告]{ほうこく:report}するのが[初動]{しょどう:initial response}の[原則]{げんそく:principle}。[電源]{でんげん:power}を[切る]{きる:turn off}と[揮発性]{きはつせい:volatile}[証拠]{しょうこ:evidence}が[失われる]{うしなわれる:lost}ため[現代]{げんだい:modern}の[フォレンジック]{ふぉれんじっく:forensic}[手順]{てじゅん:procedure}では[非]{ひ:not}[推奨]{すいしょう:recommended}。",[202],"インシデント対応",{"id":204,"articleId":6,"question":205,"options":208,"correctLabel":99,"explanation":221,"tags":224},"exam-sg-quiz-q06",{"en":206,"jp":207},"Which is a correct combination for multi-factor authentication (MFA)?","[多要素]{たようそ:multi-factor}[認証]{にんしょう:authentication}（MFA）の[組合せ]{くみあわせ:combination}として[正しい]{ただしい:correct}ものはどれか。",[209,212,215,218],{"label":91,"jp":210,"en":211},"[パスワード]{ぱすわーど:password}と[秘密]{ひみつ:secret}の[質問]{しつもん:question}","Password and secret question",{"label":95,"jp":213,"en":214},"[パスワード]{ぱすわーど:password}とPIN[コード]{こーど:code}","Password and PIN code",{"label":99,"jp":216,"en":217},"[パスワード]{ぱすわーど:password}とスマートフォンへの[ワンタイム]{わんたいむ:one-time}[コード]{こーど:code}","Password and one-time code to smartphone",{"label":103,"jp":219,"en":220},"[パスワード]{ぱすわーど:password}と[パスワード]{ぱすわーど:password}の[再]{さい:re}[入力]{にゅうりょく:entry}","Password and re-entry of the password",{"en":222,"jp":223},"MFA combines two or more of the three different elements: 'knowledge,' 'possession,' and 'biometric.' Password (knowledge) + one-time code to smartphone (possession) qualifies as multi-factor. A, B, and D all use only 'knowledge' so are not multi-factor.","[多要素]{たようそ:multi-factor}[認証]{にんしょう:authentication}は「[知識]{ちしき:knowledge}」「[所持]{しょじ:possession}」「[生体]{せいたい:biometric}」の[異なる]{ことなる:different}3[要素]{ようそ:elements}のうち2つ[以上]{いじょう:or more}を[組み合わせる]{くみあわせる:combine}。[パスワード]{ぱすわーど:password}（[知識]{ちしき:knowledge}）＋[スマートフォン]{すまーとふぉん:smartphone}への[ワンタイム]{わんたいむ:one-time}[コード]{こーど:code}（[所持]{しょじ:possession}）は[多要素]{たようそ:multi-factor}に[該当]{がいとう:applicable}。ア・イ・エはすべて「[知識]{ちしき:knowledge}」のみで[多要素]{たようそ:multi-factor}にならない。",[225],"認証技術"]