[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article:kjh-k2-h01-security-kiso":3},{"meta":4,"markdown":210,"quiz":211},{"type":5,"articleId":6,"slug":6,"title":7,"titleEn":8,"category":9,"order":10,"seriesLabel":11,"summary":12,"publishedAt":13,"image":14,"tags":15,"vocabulary":19,"quizId":206,"source":207},"article","kjh-k2-h01-security-kiso","課題Ⅱ 第１編① 情報セキュリティの基礎と脅威","Fundamentals of information security and threats","kojin-joho-hogo\u002Fkadai-2",2011,"課題Ⅱ 第１編①","Covers the CIA triad and four additional properties, exhaustive threat classification (technical including all malware types and web attacks, human including social engineering methods, physical), vulnerabilities, recent trends (APT, supply chain, ransomware, BEC, IoT), and the risk formula.","2026-04-26T00:00:00Z","https:\u002F\u002Fimages.yamiyomi.com\u002Fkjh-k2-h01-security-kiso.png",[16,17,18],"exam:個人情報保護士","topic:情報セキュリティ","topic:脅威",[20,25,30,34,38,42,46,50,54,58,62,66,70,74,78,82,86,90,94,98,102,106,110,114,118,122,126,130,134,138,142,146,150,154,158,162,166,170,174,178,182,186,190,194,198,202],{"word":21,"reading":22,"meaning":23,"level":24},"情報","じょうほう","information","N2",{"word":26,"reading":27,"meaning":28,"level":29},"脅威","きょうい","threat","N1",{"word":31,"reading":32,"meaning":33,"level":29},"機密性","きみつせい","confidentiality",{"word":35,"reading":36,"meaning":37,"level":29},"完全性","かんぜんせい","integrity",{"word":39,"reading":40,"meaning":41,"level":29},"可用性","かようせい","availability",{"word":43,"reading":44,"meaning":45,"level":29},"真正性","しんせいせい","authenticity",{"word":47,"reading":48,"meaning":49,"level":29},"責任追跡性","せきにんついせきせい","accountability",{"word":51,"reading":52,"meaning":53,"level":29},"否認防止","ひにんぼうし","non-repudiation",{"word":55,"reading":56,"meaning":57,"level":24},"信頼性","しんらいせい","reliability",{"word":59,"reading":60,"meaning":61,"level":29},"脆弱性","ぜいじゃくせい","vulnerability",{"word":63,"reading":64,"meaning":65,"level":29},"改ざん","かいざん","tampering, falsification",{"word":67,"reading":68,"meaning":69,"level":29},"窃取","せっしゅ","theft, stealing",{"word":71,"reading":72,"meaning":73,"level":24},"詐欺","さぎ","fraud",{"word":75,"reading":76,"meaning":77,"level":24},"悪意","あくい","malicious intent",{"word":79,"reading":80,"meaning":81,"level":29},"総称","そうしょう","general term",{"word":83,"reading":84,"meaning":85,"level":29},"寄生","きせい","parasitism",{"word":87,"reading":88,"meaning":89,"level":29},"増殖","ぞうしょく","propagation",{"word":91,"reading":92,"meaning":93,"level":29},"身代金","みのしろきん","ransom",{"word":95,"reading":96,"meaning":97,"level":29},"暗号化","あんごうか","encryption",{"word":99,"reading":100,"meaning":101,"level":24},"攻撃者","こうげきしゃ","attacker",{"word":103,"reading":104,"meaning":105,"level":24},"悪用","あくよう","exploitation, abuse",{"word":107,"reading":108,"meaning":109,"level":24},"侵入","しんにゅう","intrusion",{"word":111,"reading":112,"meaning":113,"level":24},"設定","せってい","configuration",{"word":115,"reading":116,"meaning":117,"level":29},"不備","ふび","inadequacy",{"word":119,"reading":120,"meaning":121,"level":29},"標的型","ひょうてきがた","targeted (attack)",{"word":123,"reading":124,"meaning":125,"level":29},"執拗","しつよう","persistent, tenacious",{"word":127,"reading":128,"meaning":129,"level":29},"二重脅迫","にじゅうきょうはく","double extortion",{"word":131,"reading":132,"meaning":133,"level":29},"委託先","いたくさき","outsourcing partner",{"word":135,"reading":136,"meaning":137,"level":24},"犯行","はんこう","crime, criminal act",{"word":139,"reading":140,"meaning":141,"level":29},"過失","かしつ","negligence",{"word":143,"reading":144,"meaning":145,"level":24},"盗難","とうなん","theft",{"word":147,"reading":148,"meaning":149,"level":24},"廃棄","はいき","disposal, discarding",{"word":151,"reading":152,"meaning":153,"level":29},"施錠","せじょう","locking",{"word":155,"reading":156,"meaning":157,"level":29},"冗長化","じょうちょうか","redundancy",{"word":159,"reading":160,"meaning":161,"level":29},"顕在化","けんざいか","materialization",{"word":163,"reading":164,"meaning":165,"level":24},"低減","ていげん","reduction",{"word":167,"reading":168,"meaning":169,"level":24},"回避","かいひ","avoidance",{"word":171,"reading":172,"meaning":173,"level":24},"移転","いてん","transfer",{"word":175,"reading":176,"meaning":177,"level":24},"保有","ほゆう","retention, possession",{"word":179,"reading":180,"meaning":181,"level":29},"監査","かんさ","audit",{"word":183,"reading":184,"meaning":185,"level":29},"証跡","しょうせき","audit trail",{"word":187,"reading":188,"meaning":189,"level":24},"踏み台","ふみだい","stepping stone (for attacks)",{"word":191,"reading":192,"meaning":193,"level":24},"誘導","ゆうどう","redirect, guide",{"word":195,"reading":196,"meaning":197,"level":29},"頻出","ひんしゅつ","frequently appearing",{"word":199,"reading":200,"meaning":201,"level":29},"欠陥","けっかん","defect, flaw",{"word":203,"reading":204,"meaning":205,"level":29},"検知","けんち","detection","kjh-k2-h01-quiz",{"name":208,"url":209},"個人情報保護士試験対策","https:\u002F\u002Fwww.joho-gakushu.or.jp\u002Fpiip\u002F","\n::para\n[情報]{じょうほう:information:N3}セキュリティとは、[組織]{そしき:organization:N1}や[個人]{こじん:individual:N2}が[保有]{ほゆう:possess:N1}する[情報]{じょうほう:information:N3}[資産]{しさん:asset:N3}を[様々]{さまざま:various:N3}な[脅威]{きょうい:threat:N1}から[守る]{まもる:to protect:N3}ための[取り組み]{とりくみ:efforts:N3}である。[情報]{じょうほう:information:N3}セキュリティの[基本]{きほん:basic:N1}は、CIAトライアドと[呼ばれる]{よばれる:called:N3}3つの[要素]{ようそ:elements:N1}で[構成]{こうせい:composed:N3}される。\n\n#en\nInformation security refers to efforts to protect the information assets held by organizations and individuals from various threats. The foundation of information security is composed of three elements known as the CIA triad.\n::\n\n::heading\nCIAトライアド：[機密性]{きみつせい:confidentiality:N1}・[完全性]{かんぜんせい:integrity:N3}・[可用性]{かようせい:availability:N3}\n\n#en\nCIA triad: confidentiality, integrity, availability\n::\n\n::para\n[機密性]{きみつせい:confidentiality:N1}（Confidentiality）とは、[許可]{きょか:authorized:N3}された[者]{もの:person:N4}だけが[情報]{じょうほう:information:N3}にアクセスできる[状態]{じょうたい:state:N1}を[確保]{かくほ:ensure:N1}することである。[具体的]{ぐたいてき:specifically:N3}には、アクセス[制御]{せいぎょ:control:N3}、[暗号化]{あんごうか:encryption:N3}、[認証]{にんしょう:authentication:N1}[技術]{ぎじゅつ:technology:N2}などにより[不正]{ふせい:unauthorized:N4}な[閲覧]{えつらん:viewing:N1}や[漏えい]{ろうえい:leakage:N1}を[防止]{ぼうし:prevent:N2}する。[完全性]{かんぜんせい:integrity:N3}（Integrity）とは、[情報]{じょうほう:information:N3}が[正確]{せいかく:accurate:N3}かつ[完全]{かんぜん:complete:N3}であり、[権限]{けんげん:authority:N3}のない[者]{もの:person:N4}による[改ざん]{かいざん:tampering:N2}や[破壊]{はかい:destruction:N1}が[行われて]{おこなわれて:carried out:N5}いないことを[保証]{ほしょう:guarantee:N1}することである。ハッシュ[値]{ち:value:N3}の[検証]{けんしょう:verification:N1}やデジタル[署名]{しょめい:signature:N2}が[代表的]{だいひょうてき:representative:N3}な[手段]{しゅだん:means:N3}である。[可用性]{かようせい:availability:N3}（Availability）とは、[許可]{きょか:authorized:N3}された[利用者]{りようしゃ:user:N3}が[必要]{ひつよう:necessary:N3}な[時]{とき:time:N5}に[情報]{じょうほう:information:N3}やシステムに[確実]{かくじつ:reliably:N3}にアクセスできる[状態]{じょうたい:state:N1}を[維持]{いじ:maintain:N1}することである。[冗長化]{じょうちょうか:redundancy:N1}、バックアップ、[災害]{さいがい:disaster:N1}[復旧]{ふっきゅう:recovery:N2}[計画]{けいかく:plan:N4}（DRP）などが[可用性]{かようせい:availability:N3}を[高める]{たかめる:enhance:N5}[手段]{しゅだん:means:N3}となる。\n\n#en\nConfidentiality is ensuring that only authorized persons can access information. Specifically, it prevents unauthorized viewing and leakage through access control, encryption, and authentication technologies. Integrity is guaranteeing that information is accurate and complete, and has not been tampered with or destroyed by unauthorized persons. Hash value verification and digital signatures are representative means. Availability is maintaining a state where authorized users can reliably access information and systems when needed. Redundancy, backups, and disaster recovery plans (DRP) are means to enhance availability.\n::\n\n::callout\n[試験]{しけん:exam:N4}では、CIA[各]{かく:each:N2}[要素]{ようそ:element:N1}の[定義]{ていぎ:definition:N1}を[正確]{せいかく:accurately:N3}に[区別]{くべつ:distinguish:N2}する[問題]{もんだい:question:N4}が[頻出]{ひんしゅつ:frequently appearing:N1}。「[改ざん]{かいざん:tampering:N2}[防止]{ぼうし:prevention:N2}」は[完全性]{かんぜんせい:integrity:N3}、「[漏えい]{ろうえい:leakage:N1}[防止]{ぼうし:prevention:N2}」は[機密性]{きみつせい:confidentiality:N1}、「システム[停止]{ていし:stoppage:N2}[防止]{ぼうし:prevention:N2}」は[可用性]{かようせい:availability:N3}と[覚える]{おぼえる:memorize:N3}こと。\n\n#en\nExam tip: Questions that require accurately distinguishing each CIA element appear frequently. Remember: \"preventing tampering\" = integrity, \"preventing leakage\" = confidentiality, \"preventing system stoppage\" = availability.\n::\n\n::heading\n[追加]{ついか:additional:N3}の[特性]{とくせい:properties:N3}：[真正性]{しんせいせい:authenticity:N3}・[責任]{せきにん:responsibility:N3}[追跡性]{ついせきせい:traceability:N2}・[否認]{ひにん:denial:N3}[防止]{ぼうし:prevention:N2}・[信頼性]{しんらいせい:reliability:N3}\n\n#en\nAdditional properties: authenticity, accountability, non-repudiation, reliability\n::\n\n::para\nCIAの3[要素]{ようそ:elements:N1}に[加えて]{くわえて:in addition to:N3}、[情報]{じょうほう:information:N3}セキュリティにはさらに4つの[特性]{とくせい:property:N3}が[定義]{ていぎ:defined:N1}されている。[真正性]{しんせいせい:authenticity:N3}（Authenticity）は、[利用者]{りようしゃ:user:N3}やシステムが[本物]{ほんもの:genuine:N4}であることを[確認]{かくにん:confirm:N3}できる[特性]{とくせい:property:N3}であり、[多]{た:multi:N4}[要素]{ようそ:factor:N1}[認証]{にんしょう:authentication:N1}や[電子]{でんし:electronic:N5}[証明書]{しょうめいしょ:certificate:N1}で[実現]{じつげん:realize:N3}する。[責任]{せきにん:responsibility:N3}[追跡性]{ついせきせい:traceability:N2}（Accountability）は、[誰]{だれ:who:N3}が[何]{なに:what:N5}を[行った]{おこなった:did:N5}かを[追跡]{ついせき:trace:N2}できる[特性]{とくせい:property:N3}であり、アクセスログや[監査]{かんさ:audit:N1}[証跡]{しょうせき:trail:N1}が[重要]{じゅうよう:important:N3}となる。[否認]{ひにん:denial:N3}[防止]{ぼうし:prevention:N2}（Non-repudiation）は、ある[行為]{こうい:act:N1}が[行われた]{おこなわれた:carried out:N5}[事実]{じじつ:fact:N3}を[後]{あと:later:N5}から[否定]{ひてい:deny:N3}できなくする[特性]{とくせい:property:N3}であり、デジタル[署名]{しょめい:signature:N2}やタイムスタンプで[担保]{たんぽ:guarantee:N1}する。[信頼性]{しんらいせい:reliability:N3}（Reliability）は、システムが[意図]{いと:intended:N4}した[通り]{とおり:as:N4}に[一貫]{いっかん:consistently:N1}して[動作]{どうさ:operate:N4}する[特性]{とくせい:property:N3}である。\n\n#en\nIn addition to the three CIA elements, four more properties are defined for information security. Authenticity is the property of confirming that a user or system is genuine, realized through multi-factor authentication and electronic certificates. Accountability is the property of being able to trace who did what, with access logs and audit trails being important. Non-repudiation is the property that prevents denying an act after it occurred, guaranteed by digital signatures and timestamps. Reliability is the property that a system operates consistently as intended.\n::\n\n::callout\n[追加]{ついか:additional:N3}の4[特性]{とくせい:properties:N3}はJIS Q 27000で[定義]{ていぎ:defined:N1}されている。[試験]{しけん:exam:N4}では「[否認]{ひにん:denial:N3}[防止]{ぼうし:prevention:N2}」と「[責任]{せきにん:responsibility:N3}[追跡性]{ついせきせい:traceability:N2}」の[違い]{ちがい:difference:N3}が[問われる]{とわれる:asked:N4}。[否認]{ひにん:denial:N3}[防止]{ぼうし:prevention:N2}＝「やっていない」と[言わせない]{いわせない:not let someone say:N4}こと。[責任]{せきにん:responsibility:N3}[追跡性]{ついせきせい:traceability:N2}＝「[誰]{だれ:who:N3}がやったか」を[辿れる]{たどれる:can trace:N1}こと。\n\n#en\nThe four additional properties are defined in JIS Q 27000. The exam tests the difference between non-repudiation and accountability. Non-repudiation = not letting someone say \"I didn't do it.\" Accountability = being able to trace \"who did it.\"\n::\n\n::heading\n[技術的]{ぎじゅつてき:technical:N2}[脅威]{きょうい:threat:N1}：マルウェアの[種類]{しゅるい:types:N3}\n\n#en\nTechnical threats: types of malware\n::\n\n::para\n[技術的]{ぎじゅつてき:technical:N2}[脅威]{きょうい:threat:N1}のうち、マルウェアは[悪意]{あくい:malicious intent:N4}のあるソフトウェアの[総称]{そうしょう:general term:N1}である。ウイルスは[他]{た:other:N3}のプログラムに[寄生]{きせい:parasitize:N3}し、[自己]{じこ:self:N1}[複製]{ふくせい:replication:N1}して[感染]{かんせん:infect:N1}を[拡大]{かくだい:expand:N1}する。ワームは[宿主]{しゅくしゅ:host:N3}プログラムを[必要]{ひつよう:need:N3}とせず、ネットワークを[通じて]{つうじて:through:N4}[自律的]{じりつてき:autonomously:N2}に[増殖]{ぞうしょく:propagate:N1}する。トロイの[木馬]{もくば:wooden horse; Trojan horse:N3}は[正常]{せいじょう:normal:N3}なソフトウェアを[装い]{よそおい:pretending to be:N2}、[裏]{うら:behind the scenes:N2}で[不正]{ふせい:unauthorized:N4}な[動作]{どうさ:operation:N4}を[行う]{おこなう:perform:N5}。ランサムウェアは[感染]{かんせん:infected:N1}した[端末]{たんまつ:device:N1}のデータを[暗号化]{あんごうか:encrypt:N3}し、[復号]{ふくごう:decryption:N2}と[引き換え]{ひきかえ:in exchange:N2}に[身代金]{みのしろきん:ransom:N4}を[要求]{ようきゅう:demand:N3}する。スパイウェアは[利用者]{りようしゃ:user:N3}の[操作]{そうさ:operation:N1}[情報]{じょうほう:information:N3}や[個人]{こじん:personal:N2}データを[秘密裏]{ひみつり:secretly:N1}に[外部]{がいぶ:external:N3}へ[送信]{そうしん:transmit:N3}する。アドウェアは[広告]{こうこく:advertisement:N3}を[強制的]{きょうせいてき:forcibly:N3}に[表示]{ひょうじ:display:N3}し、[一部]{いちぶ:some:N3}はスパイウェアの[機能]{きのう:function:N3}を[兼ねる]{かねる:also serve as:N1}。ボットは[攻撃者]{こうげきしゃ:attacker:N1}の[指令]{しれい:command:N2}で[遠隔]{えんかく:remote:N1}[操作]{そうさ:operation:N1}されるマルウェアであり、[大量]{たいりょう:large volume:N2}のボットがボットネットを[形成]{けいせい:form:N3}してDDoS[攻撃]{こうげき:attack:N1}に[利用]{りよう:used:N3}される。\n\n#en\nAmong technical threats, malware is a general term for malicious software. A virus parasitizes other programs and spreads infection through self-replication. A worm does not need a host program and propagates autonomously through networks. A Trojan horse pretends to be normal software while performing unauthorized operations behind the scenes. Ransomware encrypts data on infected devices and demands a ransom in exchange for decryption. Spyware secretly transmits user operation information and personal data externally. Adware forcibly displays advertisements, and some also serve as spyware. A bot is malware remotely controlled by an attacker's commands; large volumes of bots form botnets used for DDoS attacks.\n::\n\n::callout\nマルウェアの[分類]{ぶんるい:classification:N3}は[試験]{しけん:exam:N4}[頻出]{ひんしゅつ:frequently appearing:N1}。[特]{とく:particularly:N4}に「ウイルスとワームの[違い]{ちがい:difference:N3}」（[宿主]{しゅくしゅ:host:N3}の[有無]{うむ:presence or absence:N4}）と「トロイの[木馬]{もくば:Trojan horse:N3}の[特徴]{とくちょう:characteristic:N1}」（[自己]{じこ:self:N1}[複製]{ふくせい:replication:N1}しない）が[問われる]{とわれる:asked:N4}。\n\n#en\nExam tip: Malware classification appears frequently. Especially the difference between virus and worm (presence\u002Fabsence of host) and the characteristic of Trojan horse (does not self-replicate).\n::\n\n::heading\n[技術的]{ぎじゅつてき:technical:N2}[脅威]{きょうい:threat:N1}：Web[攻撃]{こうげき:attack:N1}・ネットワーク[攻撃]{こうげき:attack:N1}\n\n#en\nTechnical threats: web and network attacks\n::\n\n::para\n[技術的]{ぎじゅつてき:technical:N2}[脅威]{きょうい:threat:N1}にはWeb[攻撃]{こうげき:attack:N1}やネットワーク[攻撃]{こうげき:attack:N1}も[含まれる]{ふくまれる:included:N2}。フィッシングは[正規]{せいき:legitimate:N3}のサービスを[装った]{よそおった:disguised as:N2}メールやWebサイトで[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}を[窃取]{せっしゅ:steal:N1}する。スピアフィッシングは[特定]{とくてい:specific:N3}の[個人]{こじん:individual:N2}や[組織]{そしき:organization:N1}を[標的]{ひょうてき:target:N1}にした[精巧]{せいこう:elaborate:N1}なフィッシングであり、[成功]{せいこう:success:N1}[率]{りつ:rate:N1}が[高い]{たかい:high:N5}。SQLインジェクションは、Webアプリケーションの[入力]{にゅうりょく:input:N4}[欄]{らん:field:N1}に[不正]{ふせい:malicious:N4}なSQL[文]{ぶん:statement:N4}を[挿入]{そうにゅう:insert:N1}してデータベースを[操作]{そうさ:manipulate:N1}する[攻撃]{こうげき:attack:N1}である。クロスサイトスクリプティング（XSS）は、Webページに[悪意]{あくい:malicious:N4}のあるスクリプトを[埋め込み]{うめこみ:embed:N2}、[閲覧者]{えつらんしゃ:viewer:N1}のブラウザで[実行]{じっこう:execute:N3}させる。クロスサイトリクエストフォージェリ（CSRF）は、[利用者]{りようしゃ:user:N3}が[認証]{にんしょう:authenticated:N1}[済み]{ずみ:already:N3}のWebサイトに[対して]{たいして:against:N3}、[意図]{いと:intended:N4}しないリクエストを[送信]{そうしん:send:N3}させる[攻撃]{こうげき:attack:N1}である。DDoS[攻撃]{こうげき:attack:N1}は[大量]{たいりょう:large volume:N2}の[通信]{つうしん:communication:N3}でサーバーを[過負荷]{かふか:overload:N2}にし、サービスを[停止]{ていし:stop:N2}させる。ゼロデイ[攻撃]{こうげき:attack:N1}は[修正]{しゅうせい:fix:N1}パッチが[提供]{ていきょう:provided:N1}される[前]{まえ:before:N5}の[脆弱性]{ぜいじゃくせい:vulnerability:N1}を[悪用]{あくよう:exploit:N4}する。[水飲み場]{みずのみば:watering hole:N4}[攻撃]{こうげき:attack:N1}は、[標的]{ひょうてき:target:N1}が[頻繁]{ひんぱん:frequently:N1}に[訪問]{ほうもん:visit:N3}するWebサイトにマルウェアを[仕掛ける]{しかける:set up:N3}。ドライブバイダウンロードは、Webサイトを[閲覧]{えつらん:browse:N1}しただけでマルウェアが[自動的]{じどうてき:automatically:N4}にダウンロードされる。DNS キャッシュポイズニングは、DNSサーバーの[情報]{じょうほう:information:N3}を[改ざん]{かいざん:tamper:N2}して[偽]{にせ:fake:N1}サイトに[誘導]{ゆうどう:redirect:N1}する。バッファオーバーフローは、プログラムの[記憶]{きおく:memory:N1}[領域]{りょういき:area:N2}を[超える]{こえる:exceed:N2}データを[送り込み]{おくりこみ:send in:N3}、[不正]{ふせい:unauthorized:N4}なコードを[実行]{じっこう:execute:N3}させる[攻撃]{こうげき:attack:N1}である。\n\n#en\nTechnical threats also include web and network attacks. Phishing steals personal information through emails or websites disguised as legitimate services. Spear phishing is an elaborate form of phishing targeting specific individuals or organizations, with a high success rate. SQL injection inserts malicious SQL statements into web application input fields to manipulate databases. Cross-site scripting (XSS) embeds malicious scripts in web pages to execute them in viewers' browsers. Cross-site request forgery (CSRF) forces users to send unintended requests to websites where they are already authenticated. DDoS attacks overload servers with massive volumes of communication, shutting down services. Zero-day attacks exploit vulnerabilities before fix patches are provided. Watering hole attacks plant malware on websites frequently visited by the target. Drive-by downloads automatically download malware just by browsing a website. DNS cache poisoning tampers with DNS server information to redirect users to fake sites. Buffer overflow is an attack that sends data exceeding a program's memory area to execute unauthorized code.\n::\n\n::callout\n[試験]{しけん:exam:N4}ではXSSとCSRFの[違い]{ちがい:difference:N3}が[問われる]{とわれる:asked:N4}。XSS＝[悪意]{あくい:malicious:N4}スクリプトを[被害者]{ひがいしゃ:victim:N2}のブラウザで[実行]{じっこう:execute:N3}。CSRF＝[被害者]{ひがいしゃ:victim:N2}の[認証]{にんしょう:authentication:N1}[情報]{じょうほう:information:N3}を[悪用]{あくよう:exploit:N4}して[不正]{ふせい:unauthorized:N4}リクエストを[送信]{そうしん:send:N3}。\n\n#en\nExam tip: The difference between XSS and CSRF is tested. XSS = executing malicious scripts in the victim's browser. CSRF = exploiting the victim's authentication information to send unauthorized requests.\n::\n\n::para\nフィッシングには[伝達]{でんたつ:delivery:N3}[手段]{しゅだん:means:N3}や[手口]{てぐち:modus operandi:N4}に[応じた]{おうじた:corresponding:N1}[派生型]{はせいがた:derivative type:N1}があり、[試験]{しけん:exam:N4}では[混同]{こんどう:confusion:N2}を[狙った]{ねらった:aimed at:N2}[問題]{もんだい:question:N4}が[出題]{しゅつだい:set as a question:N4}されます。スミッシング（SMiShing）はSMS（[携帯]{けいたい:mobile:N1}[電話]{でんわ:phone:N5}の[短文]{たんぶん:short message:N2}）を[用いて]{もちいて:using:N4}[偽]{にせ:fake:N1}サイトに[誘導]{ゆうどう:redirect:N1}し、[宅配]{たくはい:home delivery:N3}[業者]{ぎょうしゃ:company:N4}や[金融]{きんゆう:finance:N1}[機関]{きかん:institution:N3}を[装う]{よそおう:pretend to be:N2}[例]{れい:example:N3}が[多い]{おおい:common:N4}です。ビッシング（Vishing、ボイスフィッシング）は[電話]{でんわ:phone call:N5}（[音声]{おんせい:voice:N3}）で[銀行]{ぎんこう:bank:N4}や[警察]{けいさつ:police:N3}・[公的]{こうてき:public:N4}[機関]{きかん:institution:N3}を[装い]{よそおい:impersonating:N2}、[暗証]{あんしょう:PIN:N1}[番号]{ばんごう:number:N3}や[口座]{こうざ:account:N3}[情報]{じょうほう:information:N3}を[聞き出す]{ききだす:extract:N5}[手口]{てぐち:method:N4}です。ファーミング（Pharming）は[利用者]{りようしゃ:user:N3}が[正しい]{ただしい:correct:N4}URLを[入力]{にゅうりょく:input:N4}しても、DNSキャッシュポイズニングや[端末]{たんまつ:device:N1}のhosts[改ざん]{かいざん:tampering:N2}により[偽]{にせ:fake:N1}サイトに[誘導]{ゆうどう:redirect:N1}される[攻撃]{こうげき:attack:N1}で、[利用者]{りようしゃ:user:N3}が[気付き]{きづき:notice:N3}にくいのが[特徴]{とくちょう:feature:N1}です。スキミング（Skimming）はクレジットカードやキャッシュカードの[磁気]{じき:magnetic:N1}[情報]{じょうほう:information:N3}・ICチップ[情報]{じょうほう:information:N3}を[読取]{よみとり:read:N3}[装置]{そうち:device:N2}（スキマー）で[盗み取る]{ぬすみとる:steal:N3}[物理的]{ぶつりてき:physical:N4}な[手口]{てぐち:technique:N4}で、ATMやPOS[端末]{たんまつ:terminal:N1}に[小型]{こがた:small:N2}[装置]{そうち:device:N2}を[仕掛けて]{しかけて:install:N3}カード[情報]{じょうほう:information:N3}を[複製]{ふくせい:duplicate:N1}します。\n\n#en\nPhishing has derivative types corresponding to delivery means and methods, and the exam sets questions aimed at causing confusion. Smishing (SMiShing) uses SMS (mobile phone short messages) to redirect to fake sites, often impersonating delivery companies or financial institutions. Vishing (voice phishing) uses phone calls (voice), impersonating banks, police, or public institutions to extract PIN numbers and account information. Pharming is an attack where users are redirected to fake sites via DNS cache poisoning or device hosts file tampering even when entering correct URLs; users find it hard to notice. Skimming is a physical technique that steals magnetic information and IC chip information from credit cards and cash cards using a reader device (skimmer); small devices are installed on ATMs or POS terminals to duplicate card information.\n::\n\n::callout\n[試験]{しけん:exam:N4}では「[手段]{しゅだん:means:N3}」と[用語]{ようご:term:N4}の[対応]{たいおう:correspondence:N1}が[問われ]{とわれ:asked:N4}ます。スミッシング＝SMS、ビッシング＝[音声]{おんせい:voice:N3}（[電話]{でんわ:phone:N5}）、ファーミング＝DNSキャッシュポイズニング[等]{とう:etc.:N3}による[偽]{にせ:fake:N1}サイト[誘導]{ゆうどう:redirect:N1}、スキミング＝カード[磁気]{じき:magnetic:N1}・ICチップを[物理的]{ぶつりてき:physical:N4}に[盗む]{ぬすむ:steal:N3}。[特]{とく:particularly:N4}にファーミングはフィッシングと[違い]{ちがい:difference:N3}[正規]{せいき:legitimate:N3}URLを[入力]{にゅうりょく:input:N4}しても[被害]{ひがい:damage:N2}に[遭う]{あう:encounter:N1}点が[引っ掛け]{ひっかけ:trap:N3}[問題]{もんだい:question:N4}になります。\n\n#en\nExam tip: The correspondence between \"means\" and term is tested. Smishing = SMS, vishing = voice (phone), pharming = redirection to fake sites via DNS cache poisoning, etc., skimming = physically stealing card magnetic\u002FIC chip data. In particular, the fact that pharming, unlike phishing, victimizes users even when they enter the legitimate URL is a common trap question.\n::\n\n::heading\n[人的]{じんてき:human:N4}[脅威]{きょうい:threat:N1}：ソーシャルエンジニアリングと[内部]{ないぶ:internal:N3}[犯行]{はんこう:crime:N3}\n\n#en\nHuman threats: social engineering and internal crimes\n::\n\n::para\n[人的]{じんてき:human:N4}[脅威]{きょうい:threat:N1}は、[人間]{にんげん:human:N5}の[行動]{こうどう:behavior:N4}に[起因]{きいん:caused by:N3}する[脅威]{きょうい:threat:N1}である。ソーシャルエンジニアリングは[人間]{にんげん:human:N5}の[心理的]{しんりてき:psychological:N4}な[隙]{すき:vulnerability:N1}を[突く]{つく:exploit:N3}[手法]{しゅほう:technique:N3}の[総称]{そうしょう:general term:N1}であり、[複数]{ふくすう:multiple:N2}の[手口]{てぐち:modus operandi:N4}がある。ショルダーハッキングは、[肩越し]{かたごし:over the shoulder:N2}に[画面]{がめん:screen:N3}やキーボード[入力]{にゅうりょく:input:N4}を[覗き見る]{のぞきみる:peek at:N1}ことでパスワードなどを[盗む]{ぬすむ:steal:N3}。トラッシング（ダンプスターダイビング）は、[廃棄]{はいき:discarded:N1}された[書類]{しょるい:documents:N3}や[記憶]{きおく:storage:N1}[媒体]{ばいたい:media:N1}から[機密]{きみつ:confidential:N1}[情報]{じょうほう:information:N3}を[収集]{しゅうしゅう:collect:N3}する。なりすまし[電話]{でんわ:phone call:N5}は、IT[部門]{ぶもん:department:N2}や[上司]{じょうし:superior:N1}を[装って]{よそおって:pretending to be:N2}[電話]{でんわ:phone:N5}し、パスワードや[機密]{きみつ:confidential:N1}[情報]{じょうほう:information:N3}を[聞き出す]{ききだす:extract:N5}。テールゲーティング（ピギーバッキング）は、[正規]{せいき:authorized:N3}の[入館者]{にゅうかんしゃ:entrant:N4}の[後]{あと:behind:N5}に[続いて]{つづいて:following:N3}[認証]{にんしょう:authentication:N1}なしで[入室]{にゅうしつ:enter a room:N4}する。[内部]{ないぶ:internal:N3}[犯行]{はんこう:crime:N3}は、[従業員]{じゅうぎょういん:employee:N1}や[元]{もと:former:N4}[従業員]{じゅうぎょういん:employee:N1}による[情報]{じょうほう:information:N3}の[持ち出し]{もちだし:taking out:N4}や[不正]{ふせい:unauthorized:N4}アクセスである。[誤]{ご:accidental:N3}[操作]{そうさ:operation:N1}による[情報]{じょうほう:information:N3}[漏えい]{ろうえい:leakage:N1}も[人的]{じんてき:human:N4}[脅威]{きょうい:threat:N1}に[含まれ]{ふくまれ:included:N2}、メールの[誤]{ご:wrong:N3}[送信]{そうしん:sending:N3}が[代表]{だいひょう:representative:N3}[例]{れい:example:N3}である。[不正]{ふせい:unauthorized:N4}アクセスは[外部]{がいぶ:external:N3}[者]{しゃ:person:N4}が[権限]{けんげん:authority:N3}なくシステムに[侵入]{しんにゅう:intrude:N1}する[行為]{こうい:act:N1}である。\n\n#en\nHuman threats are threats caused by human behavior. Social engineering is a general term for techniques that exploit human psychological vulnerabilities, with multiple methods. Shoulder hacking steals passwords by peeking at screens or keyboard input over someone's shoulder. Trashing (dumpster diving) collects confidential information from discarded documents and storage media. Impersonation phone calls pretend to be IT department or superiors to extract passwords and confidential information. Tailgating (piggybacking) follows authorized entrants to enter rooms without authentication. Internal crimes involve employees or former employees taking information out or engaging in unauthorized access. Accidental information leakage from operational errors is also a human threat, with misdirected emails being a typical example. Unauthorized access is the act of external persons intruding into systems without authorization.\n::\n\n::callout\nソーシャルエンジニアリングの[各]{かく:each:N2}[手口]{てぐち:method:N4}の[名称]{めいしょう:name:N1}と[内容]{ないよう:content:N3}の[対応]{たいおう:correspondence:N1}が[問われる]{とわれる:asked:N4}。[特]{とく:particularly:N4}に「ショルダーハッキング＝[覗き見]{のぞきみ:peeking:N1}」「トラッシング＝ゴミ[箱]{ばこ:box:N3}[漁り]{あさり:rummaging:N2}」「テールゲーティング＝[共連れ]{ともづれ:tailgating:N3}」を[確実]{かくじつ:reliably:N3}に。\n\n#en\nExam tip: The correspondence between each social engineering method name and its content is tested. Reliably memorize: shoulder hacking = peeking, trashing = rummaging through garbage, tailgating = following someone in.\n::\n\n::para\nプライバシーフィルター（[覗き見]{のぞきみ:peeking:N1}[防止]{ぼうし:prevention:N2}フィルム）は、[画面]{がめん:screen:N3}に[貼付]{ちょうふ:affix:N1}する[物理的]{ぶつりてき:physical:N4}な[シート]{しーと:sheet}で、[正面]{しょうめん:front:N3}からは[通常]{つうじょう:normally:N3}に[閲覧]{えつらん:viewing:N1}できる[一方]{いっぽう:while:N4}、[斜め]{ななめ:diagonal:N1}[方向]{ほうこう:direction:N3}からは[画面]{がめん:screen:N3}が[暗く]{くらく:dark:N3}見えて[内容]{ないよう:content:N3}が[判別]{はんべつ:discern:N3}できなくなる[仕組み]{しくみ:mechanism:N3}です。[外出先]{がいしゅつさき:outside the office:N5}のカフェや[新幹線]{しんかんせん:bullet train:N1}、[共有]{きょうゆう:shared:N3}スペースなど[第三者]{だいさんしゃ:third party:N1}の[視線]{しせん:gaze:N1}が[届く]{とどく:reach:N2}[環境]{かんきょう:environment:N1}での[情報]{じょうほう:information:N3}[漏えい]{ろうえい:leakage:N1}を[防ぐ]{ふせぐ:prevent:N2}[物理的]{ぶつりてき:physical:N4}[対策]{たいさく:countermeasure:N1}として、テレワークやモバイルワークで[特]{とく:particularly:N4}に[有効]{ゆうこう:effective:N2}です。[個人情報]{こじんじょうほう:personal information:N2}を[扱う]{あつかう:handle:N1}[業務]{ぎょうむ:work:N3}での[使用]{しよう:use:N4}が[推奨]{すいしょう:recommended:N1}されており、[物理的]{ぶつりてき:physical:N4}[安全]{あんぜん:safety:N3}[管理]{かんり:management:N2}[措置]{そち:measure:N1}の[一環]{いっかん:part:N1}として[位置付け]{いちづけ:position:N3}られます。\n\n#en\nA privacy filter (anti-peeking film) is a physical sheet attached to a screen, designed so that the screen displays normally when viewed from the front, but appears dark and indecipherable from diagonal angles. It is a physical countermeasure to prevent information leakage in environments where third-party gazes can reach, such as cafes, bullet trains, and shared spaces, and is particularly effective for telework and mobile work. Use is recommended for work handling personal information, and it is positioned as part of physical safety management measures.\n::\n\n::callout\n[試験]{しけん:exam:N4}ではプライバシーフィルター＝「[覗き見]{のぞきみ:peeking:N1}[防止]{ぼうし:prevention:N2}」[物理的]{ぶつりてき:physical:N4}[対策]{たいさく:countermeasure:N1}と[覚える]{おぼえる:memorize:N3}こと。ショルダーハッキング[対策]{たいさく:countermeasure:N1}としても[挙げられ]{あげられ:listed:N1}、[座席]{ざせき:seat:N3}[配置]{はいち:arrangement:N3}・パーティション・[画面]{がめん:screen:N3}ロックと[並ぶ]{ならぶ:alongside:N2}[取扱]{とりあつかい:handling:N1}[区域]{くいき:zone:N2}の[代表]{だいひょう:representative:N3}[対策]{たいさく:countermeasure:N1}です。\n\n#en\nExam tip: Memorize privacy filter = \"anti-peeking\" physical countermeasure. It is also listed as a shoulder hacking countermeasure, and is a representative measure for handling zones alongside seat arrangement, partitions, and screen lock.\n::\n\n::heading\n[物理的]{ぶつりてき:physical:N4}[脅威]{きょうい:threat:N1}\n\n#en\nPhysical threats\n::\n\n::para\n[物理的]{ぶつりてき:physical:N4}[脅威]{きょうい:threat:N1}は、[情報]{じょうほう:information:N3}システムの[物理]{ぶつり:physical:N4}[環境]{かんきょう:environment:N1}に[影響]{えいきょう:influence:N1}を[与える]{あたえる:give:N3}[脅威]{きょうい:threat:N1}である。[自然]{しぜん:natural:N3}[災害]{さいがい:disaster:N1}には[地震]{じしん:earthquake:N2}、[台風]{たいふう:typhoon:N4}、[洪水]{こうずい:flood:N1}、[落雷]{らくらい:lightning:N1}が[含まれる]{ふくまれる:included:N2}。[停電]{ていでん:power outage:N2}はシステム[全体]{ぜんたい:entire:N3}を[停止]{ていし:stop:N2}させ、[可用性]{かようせい:availability:N3}を[直接]{ちょくせつ:directly:N2}[脅かす]{おびやかす:threaten:N1}。[火災]{かさい:fire:N1}は[機器]{きき:equipment:N1}とデータを[物理的]{ぶつりてき:physically:N4}に[破壊]{はかい:destroy:N1}する。[不正]{ふせい:unauthorized:N4}[侵入]{しんにゅう:intrusion:N1}は[建物]{たてもの:building:N4}やサーバー[室]{しつ:room:N4}への[物理的]{ぶつりてき:physical:N4}な[侵入]{しんにゅう:intrusion:N1}であり、[盗難]{とうなん:theft:N3}はPC・[記憶]{きおく:storage:N1}[媒体]{ばいたい:media:N1}・[書類]{しょるい:documents:N3}の[物理的]{ぶつりてき:physical:N4}な[持ち去り]{もちさり:taking away:N4}である。[破壊]{はかい:destruction:N1}には[意図的]{いとてき:intentional:N4}な[機器]{きき:equipment:N1}[損壊]{そんかい:damage:N1}も[含む]{ふくむ:include:N2}。\n\n#en\nPhysical threats are threats that affect the physical environment of information systems. Natural disasters include earthquakes, typhoons, floods, and lightning. Power outages stop entire systems and directly threaten availability. Fire physically destroys equipment and data. Unauthorized intrusion is physical entry into buildings or server rooms. Theft is the physical taking of PCs, storage media, and documents. Destruction includes intentional equipment damage.\n::\n\n::heading\n[脆弱性]{ぜいじゃくせい:vulnerability:N1}の[分類]{ぶんるい:classification:N3}\n\n#en\nVulnerability classification\n::\n\n::para\n[脆弱性]{ぜいじゃくせい:vulnerability:N1}とは、[脅威]{きょうい:threat:N1}に[対する]{たいする:against:N3}[弱点]{じゃくてん:weakness:N2}のことである。ソフトウェアバグは[代表的]{だいひょうてき:representative:N3}な[技術的]{ぎじゅつてき:technical:N2}[脆弱性]{ぜいじゃくせい:vulnerability:N1}であり、[未]{み:not yet:N3}[修正]{しゅうせい:fixed:N1}のバグは[攻撃者]{こうげきしゃ:attacker:N1}に[悪用]{あくよう:exploit:N4}される。[設定]{せってい:configuration:N2}ミスも[深刻]{しんこく:serious:N3}な[脆弱性]{ぜいじゃくせい:vulnerability:N1}であり、デフォルトパスワードの[未]{み:not yet:N3}[変更]{へんこう:changed:N3}、ファイアウォールの[設定]{せってい:settings:N2}[不備]{ふび:inadequacy:N3}、[不要]{ふよう:unnecessary:N3}なサービスの[開放]{かいほう:opening:N3}などが[典型]{てんけい:typical:N1}[例]{れい:example:N3}である。[人的]{じんてき:human:N4}[要因]{よういん:factor:N3}による[脆弱性]{ぜいじゃくせい:vulnerability:N1}には、セキュリティ[意識]{いしき:awareness:N3}の[不足]{ふそく:lack:N4}、[教育]{きょういく:education:N3}[訓練]{くんれん:training:N2}の[不足]{ふそく:lack:N4}、[内部]{ないぶ:internal:N3}[規定]{きてい:rules:N3}の[不備]{ふび:inadequacy:N3}がある。[物理的]{ぶつりてき:physical:N4}[要因]{よういん:factor:N3}には、[施錠]{せじょう:locking:N1}[管理]{かんり:management:N2}の[不備]{ふび:inadequacy:N3}、[入退室]{にゅうたいしつ:entry and exit:N3}[管理]{かんり:management:N2}の[欠如]{けつじょ:lack:N1}、[監視]{かんし:surveillance:N1}カメラの[未]{み:not yet:N3}[設置]{せっち:installed:N2}がある。\n\n#en\nVulnerabilities are weaknesses against threats. Software bugs are a representative technical vulnerability; unfixed bugs are exploited by attackers. Configuration mistakes are also serious vulnerabilities, with typical examples including unchanged default passwords, inadequate firewall settings, and leaving unnecessary services open. Human factor vulnerabilities include lack of security awareness, insufficient education and training, and inadequate internal rules. Physical factor vulnerabilities include inadequate lock management, lack of entry\u002Fexit management, and uninstalled surveillance cameras.\n::\n\n::heading\n[近年]{きんねん:recent years:N4}の[脅威]{きょうい:threat:N1}の[動向]{どうこう:trends:N3}\n\n#en\nRecent threat trends\n::\n\n::para\n[近年]{きんねん:recent years:N4}、[試験]{しけん:exam:N4}で[特]{とく:particularly:N4}に[注目]{ちゅうもく:attention:N4}される[脅威]{きょうい:threat:N1}の[動向]{どうこう:trend:N3}がある。[標的型]{ひょうてきがた:targeted:N1}[攻撃]{こうげき:attack:N1}（APT: Advanced Persistent Threat）は、[特定]{とくてい:specific:N3}の[組織]{そしき:organization:N1}を[狙い]{ねらい:targeting:N2}、[長期間]{ちょうきかん:long period:N3}にわたって[執拗]{しつよう:persistent:N1}に[攻撃]{こうげき:attack:N1}を[継続]{けいぞく:continue:N1}する。[初期]{しょき:initial:N3}[侵入]{しんにゅう:intrusion:N1}にはスピアフィッシングメールが[多用]{たよう:frequently used:N4}される。サプライチェーン[攻撃]{こうげき:attack:N1}は、[取引先]{とりひきさき:business partner:N3}や[委託先]{いたくさき:outsourcing partner:N1}の[脆弱性]{ぜいじゃくせい:vulnerability:N1}を[経由]{けいゆ:via:N3}して[本来]{ほんらい:original:N5}の[標的]{ひょうてき:target:N1}に[侵入]{しんにゅう:intrude:N1}する。ランサムウェアは[被害]{ひがい:damage:N2}が[急増]{きゅうぞう:rapidly increasing:N3}しており、[二重]{にじゅう:double:N4}[脅迫]{きょうはく:extortion:N1}（データ[暗号化]{あんごうか:encryption:N3}＋[情報]{じょうほう:information:N3}[公開]{こうかい:disclosure:N4}の[脅し]{おどし:threat:N1}）が[主流]{しゅりゅう:mainstream:N3}となっている。ビジネスメール[詐欺]{さぎ:fraud:N1}（BEC）は、[経営者]{けいえいしゃ:executive:N2}や[取引先]{とりひきさき:business partner:N3}になりすましたメールで[送金]{そうきん:remittance:N4}を[指示]{しじ:instruct:N3}する。IoTセキュリティも[重要]{じゅうよう:important:N3}な[課題]{かだい:issue:N2}であり、IoT[機器]{きき:device:N1}はセキュリティ[対策]{たいさく:countermeasure:N1}が[不十分]{ふじゅうぶん:insufficient:N4}な[場合]{ばあい:case:N3}が[多く]{おおく:many:N4}、ボットネットの[踏み台]{ふみだい:stepping stone:N1}にされやすい。\n\n#en\nIn recent years, there are threat trends that receive particular attention in exams. Targeted attacks (APT: Advanced Persistent Threat) aim at specific organizations and persistently continue attacks over long periods. Spear phishing emails are frequently used for initial intrusion. Supply chain attacks intrude on the original target via vulnerabilities in business partners or outsourcing partners. Ransomware damage is rapidly increasing, with double extortion (data encryption + threat of information disclosure) becoming mainstream. Business email compromise (BEC) instructs money transfers through emails impersonating executives or business partners. IoT security is also an important issue, as IoT devices often have insufficient security countermeasures and are easily used as stepping stones for botnets.\n::\n\n::callout\nIPA「[情報]{じょうほう:information:N3}セキュリティ10[大]{だい:major:N5}[脅威]{きょうい:threat:N1}」は[毎年]{まいねん:every year:N5}[発表]{はっぴょう:published:N3}され、[試験]{しけん:exam:N4}の[出題]{しゅつだい:question:N4}[傾向]{けいこう:trend:N2}と[連動]{れんどう:linked:N3}する。[近年]{きんねん:recent years:N4}の[上位]{じょうい:top:N3}はランサムウェア、サプライチェーン[攻撃]{こうげき:attack:N1}、[標的型]{ひょうてきがた:targeted:N1}[攻撃]{こうげき:attack:N1}が[定番]{ていばん:standard:N3}。\n\n#en\nExam tip: IPA's \"Top 10 Information Security Threats\" is published annually and is linked to exam question trends. In recent years, ransomware, supply chain attacks, and targeted attacks are standard top-ranking threats.\n::\n\n::heading\nリスクの[概念]{がいねん:concept:N1}と[対応]{たいおう:response:N1}\n\n#en\nRisk concept and response\n::\n\n::para\n[情報]{じょうほう:information:N3}セキュリティにおけるリスクは、[一般的]{いっぱんてき:generally:N2}に「リスク＝[脅威]{きょうい:threat:N1}×[脆弱性]{ぜいじゃくせい:vulnerability:N1}×[資産]{しさん:asset:N3}[価値]{かち:value:N1}」で[表される]{あらわされる:expressed:N3}。[脅威]{きょうい:threat:N1}が[存在]{そんざい:exist:N3}しても[脆弱性]{ぜいじゃくせい:vulnerability:N1}がなければリスクは[低い]{ひくい:low:N2}。[逆]{ぎゃく:conversely:N2}に、[脆弱性]{ぜいじゃくせい:vulnerability:N1}があっても[脅威]{きょうい:threat:N1}が[存在]{そんざい:exist:N3}しなければリスクは[顕在化]{けんざいか:materialize:N1}しない。[資産]{しさん:asset:N3}[価値]{かち:value:N1}が[高い]{たかい:high:N5}ほど、[同じ]{おなじ:same:N4}[脅威]{きょうい:threat:N1}と[脆弱性]{ぜいじゃくせい:vulnerability:N1}でもリスクは[大きく]{おおきく:greatly:N5}なる。リスク[対応]{たいおう:response:N1}には、リスク[低減]{ていげん:reduction:N2}（[対策]{たいさく:countermeasure:N1}を[講じる]{こうじる:implement:N2}）、リスク[回避]{かいひ:avoidance:N1}（[活動]{かつどう:activity:N3}を[中止]{ちゅうし:discontinue:N4}）、リスク[移転]{いてん:transfer:N2}（[保険]{ほけん:insurance:N1}やアウトソーシング）、リスク[保有]{ほゆう:retention:N1}（[受容]{じゅよう:acceptance:N3}する）の4つがある。\n\n#en\nRisk in information security is generally expressed as \"Risk = Threat x Vulnerability x Asset Value.\" Even if a threat exists, if there is no vulnerability, the risk is low. Conversely, even if there is a vulnerability, if no threat exists, the risk does not materialize. The higher the asset value, the greater the risk even with the same threat and vulnerability. There are four risk responses: risk reduction (implementing countermeasures), risk avoidance (discontinuing activities), risk transfer (insurance or outsourcing), and risk retention (acceptance).\n::\n\n::callout\n「リスク＝[脅威]{きょうい:threat:N1}×[脆弱性]{ぜいじゃくせい:vulnerability:N1}×[資産]{しさん:asset:N3}[価値]{かち:value:N1}」の[公式]{こうしき:formula:N3}と、4つのリスク[対応]{たいおう:response:N1}（[低減]{ていげん:reduction:N2}・[回避]{かいひ:avoidance:N1}・[移転]{いてん:transfer:N2}・[保有]{ほゆう:retention:N1}）は[必ず]{かならず:definitely:N3}[出題]{しゅつだい:tested:N4}される。[各]{かく:each:N2}[対応]{たいおう:response:N1}の[具体]{ぐたい:specific:N3}[例]{れい:example:N3}を[挙げられる]{あげられる:can cite:N1}ようにすること。\n\n#en\nExam tip: The formula \"Risk = Threat x Vulnerability x Asset Value\" and the four risk responses (reduction, avoidance, transfer, retention) are definitely tested. Be able to cite specific examples of each response.\n::\n",{"id":206,"title":212,"titleEn":213,"topicPath":214,"questions":215},"第１編 脅威と対策 確認テスト","Chapter 1: Threats & Countermeasures — Practice Test","software\u002Fkojin-joho-hogo\u002Fkadai-2\u002Fhen-01-kyoui-taisaku",[216,243,266,289,313,336,360,381,405,428,452,476,500],{"id":217,"articleId":6,"question":218,"options":221,"correctLabel":235,"explanation":238,"tags":241},"kjh-k2-h01-q01",{"en":219,"jp":220},"Which of the following is NOT one of the three elements (CIA) of information security?","[情報]{じょうほう:information}セキュリティの3[要素]{ようそ:elements}（CIA）に[該当]{がいとう:applicable}しないものはどれか。",[222,226,230,234],{"label":223,"jp":224,"en":225},"ア","[機密性]{きみつせい:confidentiality}（Confidentiality）","Confidentiality",{"label":227,"jp":228,"en":229},"イ","[完全性]{かんぜんせい:integrity}（Integrity）","Integrity",{"label":231,"jp":232,"en":233},"ウ","[可用性]{かようせい:availability}（Availability）","Availability",{"label":235,"jp":236,"en":237},"エ","[信頼性]{しんらいせい:reliability}（Reliability）","Reliability",{"en":239,"jp":240},"CIA stands for Confidentiality, Integrity, and Availability. Reliability is listed as an additional characteristic in JIS Q 27001 but is not one of the three CIA elements.","CIAは[機密性]{きみつせい:confidentiality}・[完全性]{かんぜんせい:integrity}・[可用性]{かようせい:availability}の3つを[指]{さ:point to}す。[信頼性]{しんらいせい:reliability}はJIS Q 27001で[追加]{ついか:additional}[特性]{とくせい:characteristic}として[挙]{あ:listed}げられるが、CIAの[構成]{こうせい:composition}[要素]{ようそ:element}ではない。",[242],"CIA",{"id":244,"articleId":6,"question":245,"options":248,"correctLabel":231,"explanation":261,"tags":264},"kjh-k2-h01-q02",{"en":246,"jp":247},"Which type of malware encrypts files on an infected computer and demands a ransom for decryption?","[感染]{かんせん:infection}したコンピュータのファイルを[暗号化]{あんごうか:encrypt}し、[復号]{ふくごう:decryption}のために[身代金]{みのしろきん:ransom}を[要求]{ようきゅう:demand}するマルウェアはどれか。",[249,252,255,258],{"label":223,"jp":250,"en":251},"ワーム","Worm",{"label":227,"jp":253,"en":254},"トロイの木馬","Trojan horse",{"label":231,"jp":256,"en":257},"ランサムウェア","Ransomware",{"label":235,"jp":259,"en":260},"スパイウェア","Spyware",{"en":262,"jp":263},"Ransomware encrypts files and demands a ransom. A worm self-propagates, a Trojan horse disguises itself as legitimate software, and spyware steals information.","ランサムウェアはファイルを[暗号化]{あんごうか:encrypt}し[身代金]{みのしろきん:ransom}を[要求]{ようきゅう:demand}する。ワームは[自己]{じこ:self}[増殖]{ぞうしょく:propagation}するマルウェア、トロイの[木馬]{もくば:wooden horse}は[正規]{せいき:legitimate}ソフトに[偽装]{ぎそう:disguise}して[侵入]{しんにゅう:intrusion}するもの、スパイウェアは[情報]{じょうほう:information}を[窃取]{せっしゅ:steal}するものである。",[265],"malware",{"id":267,"articleId":6,"question":268,"options":271,"correctLabel":227,"explanation":284,"tags":287},"kjh-k2-h01-q03",{"en":269,"jp":270},"Which of the following is the most appropriate example of a social engineering technique?","ソーシャルエンジニアリングの[手法]{しゅほう:technique}として[最]{もっと:most}も[適切]{てきせつ:appropriate}なものはどれか。",[272,275,278,281],{"label":223,"jp":273,"en":274},"SQLインジェクションによるデータベースへの[不正]{ふせい:unauthorized}アクセス","Unauthorized access to a database via SQL injection",{"label":227,"jp":276,"en":277},"[電話]{でんわ:telephone}でシステム[管理者]{かんりしゃ:administrator}を[装]{よそお:pretend}いパスワードを[聞]{き:ask}き[出]{だ:extract}す","Impersonating a system administrator over the phone to extract a password",{"label":231,"jp":279,"en":280},"ブルートフォース[攻撃]{こうげき:attack}でパスワードを[解読]{かいどく:decode}する","Decoding a password through a brute-force attack",{"label":235,"jp":282,"en":283},"ゼロデイ[脆弱性]{ぜいじゃくせい:vulnerability}を[利用]{りよう:exploit}した[攻撃]{こうげき:attack}","An attack exploiting a zero-day vulnerability",{"en":285,"jp":286},"Social engineering exploits human psychological weaknesses, not technical means. Impersonating an administrator over the phone is a classic example. Options A, C, and D are all technical attacks.","ソーシャルエンジニアリングは[技術的]{ぎじゅつてき:technical}[手段]{しゅだん:means}ではなく、[人間]{にんげん:human}の[心理的]{しんりてき:psychological}な[弱点]{じゃくてん:weakness}を[突]{つ:exploit}く[手法]{しゅほう:technique}である。[電話]{でんわ:telephone}で[管理者]{かんりしゃ:administrator}を[装]{よそお:impersonate}う[行為]{こうい:act}が[該当]{がいとう:applicable}する。ア・ウ・エはいずれも[技術的]{ぎじゅつてき:technical}[攻撃]{こうげき:attack}である。",[288],"social-engineering",{"id":290,"articleId":291,"question":292,"options":295,"correctLabel":223,"explanation":308,"tags":311},"kjh-k2-h01-q04","kjh-k1-h01-hotaikei",{"en":293,"jp":294},"Which of the following acts is prohibited under the Unauthorized Computer Access Law?","[不正]{ふせい:unauthorized}アクセス[禁止法]{きんしほう:prohibition law}で[禁止]{きんし:prohibited}されている[行為]{こうい:act}として[正]{ただ:correct}しいものはどれか。",[296,299,302,305],{"label":223,"jp":297,"en":298},"[他人]{たにん:another person}のID・パスワードを[無断]{むだん:without permission}で[使用]{しよう:use}してログインする[行為]{こうい:act}","Logging in using another person's ID and password without permission",{"label":227,"jp":300,"en":301},"[自分]{じぶん:oneself}のパスワードを[簡単]{かんたん:simple}なものに[設定]{せってい:set}する[行為]{こうい:act}","Setting one's own password to something simple",{"label":231,"jp":303,"en":304},"[社内]{しゃない:within the company}ネットワークに[正規]{せいき:authorized}の[手段]{しゅだん:means}でアクセスする[行為]{こうい:act}","Accessing the company network through authorized means",{"label":235,"jp":306,"en":307},"ファイアウォールを[導入]{どうにゅう:implement}する[行為]{こうい:act}","Implementing a firewall",{"en":309,"jp":310},"The Unauthorized Computer Access Law prohibits using another person's identification codes (ID\u002Fpassword) without permission to bypass access controls. Option B is inadvisable but not illegal. Options C and D are legitimate acts.","[不正]{ふせい:unauthorized}アクセス[禁止法]{きんしほう:prohibition law}は、[他人]{たにん:another person}の[識別]{しきべつ:identification}[符号]{ふごう:code}（ID・パスワード）を[無断]{むだん:without permission}[使用]{しよう:use}してアクセス[制御]{せいぎょ:control}を[突破]{とっぱ:break through}する[行為]{こうい:act}を[禁止]{きんし:prohibit}している。イは[推奨]{すいしょう:recommendation}されないが[違法]{いほう:illegal}ではない。ウ・エは[正当]{せいとう:legitimate}な[行為]{こうい:act}である。",[312],"unauthorized-access-law",{"id":314,"articleId":291,"question":315,"options":318,"correctLabel":235,"explanation":331,"tags":334},"kjh-k2-h01-q05",{"en":316,"jp":317},"Which of the following is NOT one of the three requirements for trade secrets under the Unfair Competition Prevention Act?","[不正]{ふせい:unfair}[競争]{きょうそう:competition}[防止法]{ぼうしほう:prevention law}における[営業]{えいぎょう:business}[秘密]{ひみつ:secret}の3[要件]{ようけん:requirements}に[該当]{がいとう:applicable}しないものはどれか。",[319,322,325,328],{"label":223,"jp":320,"en":321},"[秘密]{ひみつ:secret}[管理性]{かんりせい:manageability}","Secret management (the information is managed as a secret)",{"label":227,"jp":323,"en":324},"[有用性]{ゆうようせい:usefulness}","Usefulness (the information has commercial value)",{"label":231,"jp":326,"en":327},"[非]{ひ:non-}[公知性]{こうちせい:public knowledge}","Non-public knowledge (the information is not publicly known)",{"label":235,"jp":329,"en":330},"[新規性]{しんきせい:novelty}","Novelty (the information is new)",{"en":332,"jp":333},"The three requirements for trade secrets are: secret management, usefulness, and non-public knowledge. Novelty is a requirement under patent law, not for trade secrets.","[営業]{えいぎょう:business}[秘密]{ひみつ:secret}の3[要件]{ようけん:requirements}は「[秘密]{ひみつ:secret}[管理性]{かんりせい:manageability}」「[有用性]{ゆうようせい:usefulness}」「[非]{ひ:non-}[公知性]{こうちせい:public knowledge}」の3つである。「[新規性]{しんきせい:novelty}」は[特許法]{とっきょほう:patent law}の[要件]{ようけん:requirement}であり、[営業]{えいぎょう:business}[秘密]{ひみつ:secret}の[要件]{ようけん:requirement}ではない。",[335],"trade-secret",{"id":337,"articleId":291,"question":338,"options":341,"correctLabel":227,"explanation":354,"tags":357},"kjh-k2-h01-q06",{"en":339,"jp":340},"Which of the following correctly describes the difference between ISMS and the Privacy Mark?","ISMSとプライバシーマークの[違]{ちが:difference}いについて[正]{ただ:correct}しいものはどれか。",[342,345,348,351],{"label":223,"jp":343,"en":344},"ISMSは[個人情報]{こじんじょうほう:personal information}のみを[対象]{たいしょう:target}とし、プライバシーマークは[全]{すべ:all}ての[情報]{じょうほう:information}[資産]{しさん:assets}を[対象]{たいしょう:target}とする","ISMS covers only personal information, while the Privacy Mark covers all information assets",{"label":227,"jp":346,"en":347},"ISMSは[全]{すべ:all}ての[情報]{じょうほう:information}[資産]{しさん:assets}を[対象]{たいしょう:target}とし、プライバシーマークは[個人情報]{こじんじょうほう:personal information}[保護]{ほご:protection}に[特化]{とっか:specialized}する","ISMS covers all information assets, while the Privacy Mark specializes in personal information protection",{"label":231,"jp":349,"en":350},"[両者]{りょうしゃ:both}とも[国際]{こくさい:international}[規格]{きかく:standard}に[基]{もと:based}づく[認証]{にんしょう:certification}[制度]{せいど:system}である","Both are certification systems based on international standards",{"label":235,"jp":352,"en":353},"プライバシーマークは[部門]{ぶもん:department}[単位]{たんい:unit}で[取得]{しゅとく:obtain}でき、ISMSは[会社]{かいしゃ:company}[全体]{ぜんたい:entire}でしか[取得]{しゅとく:obtain}できない","The Privacy Mark can be obtained per department, while ISMS can only be obtained company-wide",{"en":355,"jp":356},"ISMS (ISO\u002FIEC 27001) is an international standard covering all information assets and can be obtained per department. The Privacy Mark (JIS Q 15001) is a domestic system specializing in personal information protection and must be obtained company-wide. Option A is reversed. Option C is wrong because the Privacy Mark is a domestic standard. Option D is also reversed.","ISMS（ISO\u002FIEC 27001）は[情報]{じょうほう:information}[資産]{しさん:assets}[全般]{ぜんぱん:overall}を[対象]{たいしょう:target}とする[国際]{こくさい:international}[規格]{きかく:standard}に[基]{もと:based}づく[認証]{にんしょう:certification}で、[部門]{ぶもん:department}[単位]{たんい:unit}で[取得]{しゅとく:obtain}[可能]{かのう:possible}。プライバシーマーク（JIS Q 15001）は[個人情報]{こじんじょうほう:personal information}[保護]{ほご:protection}に[特化]{とっか:specialized}した[国内]{こくない:domestic}[制度]{せいど:system}で、[事業者]{じぎょうしゃ:business operator}[全体]{ぜんたい:entire}で[取得]{しゅとく:obtain}する。アは[逆]{ぎゃく:reverse}。ウはプライバシーマークが[国内]{こくない:domestic}[規格]{きかく:standard}なので[誤]{あやま:incorrect}り。エも[逆]{ぎゃく:reverse}である。",[358,359],"ISMS","privacy-mark",{"id":361,"articleId":6,"question":362,"options":365,"correctLabel":231,"explanation":377,"tags":380},"kjh-k2-h01-q07",{"en":363,"jp":364},"Which property of information security is guaranteed by digital signatures and timestamps?","[情報]{じょうほう:information}セキュリティの[特性]{とくせい:property}のうち、デジタル[署名]{しょめい:signature}やタイムスタンプによって[担保]{たんぽ:guarantee}されるものはどれか。",[366,369,372,375],{"label":223,"jp":367,"en":368},"[真正性]{しんせいせい:authenticity}","Authenticity",{"label":227,"jp":370,"en":371},"[責任]{せきにん:responsibility}[追跡性]{ついせきせい:traceability}","Accountability",{"label":231,"jp":373,"en":374},"[否認]{ひにん:denial}[防止]{ぼうし:prevention}","Non-repudiation",{"label":235,"jp":376,"en":237},"[信頼性]{しんらいせい:reliability}",{"en":378,"jp":379},"Non-repudiation is the property that prevents someone from later denying (\"I did not do it\") an act they performed; it is guaranteed by digital signatures and timestamps. Authenticity uses multi-factor authentication and electronic certificates; accountability uses access logs and audit trails.","[否認]{ひにん:denial}[防止]{ぼうし:prevention}は、ある[行為]{こうい:act}を[後]{あと:later}から「やっていない」と[否定]{ひてい:deny}できなくする[特性]{とくせい:property}で、デジタル[署名]{しょめい:signature}やタイムスタンプで[担保]{たんぽ:guarantee}される。[真正性]{しんせいせい:authenticity}は[多]{た:multi}[要素]{ようそ:factor}[認証]{にんしょう:authentication}や[電子]{でんし:electronic}[証明書]{しょうめいしょ:certificate}、[責任]{せきにん:responsibility}[追跡性]{ついせきせい:traceability}はアクセスログや[監査]{かんさ:audit}[証跡]{しょうせき:trail}で[実現]{じつげん:realize}される。",[242,53],{"id":382,"articleId":6,"question":383,"options":386,"correctLabel":227,"explanation":399,"tags":402},"kjh-k2-h01-q08",{"en":384,"jp":385},"Which best describes the characteristic of an XSS (Cross-Site Scripting) attack?","XSS（クロスサイトスクリプティング）[攻撃]{こうげき:attack}の[特徴]{とくちょう:characteristic}として[最]{もっと:most}も[適切]{てきせつ:appropriate}なものはどれか。",[387,390,393,396],{"label":223,"jp":388,"en":389},"データベースに[不正]{ふせい:malicious}なSQL[文]{ぶん:statement}を[挿入]{そうにゅう:insert}する","Insert malicious SQL statements into a database",{"label":227,"jp":391,"en":392},"Webページに[悪意]{あくい:malicious}のあるスクリプトを[埋め込み]{うめこみ:embed}、[閲覧者]{えつらんしゃ:viewer}のブラウザで[実行]{じっこう:execute}させる","Embed malicious scripts in web pages and execute them in viewers' browsers",{"label":231,"jp":394,"en":395},"[認証]{にんしょう:authenticated}[済み]{ずみ:already}[利用者]{りようしゃ:user}に[意図]{いと:intended}しないリクエストを[送信]{そうしん:send}させる","Force authenticated users to send unintended requests",{"label":235,"jp":397,"en":398},"DNSサーバーの[情報]{じょうほう:information}を[改ざん]{かいざん:tamper}し[偽]{にせ:fake}サイトに[誘導]{ゆうどう:redirect}する","Tamper with DNS server information to redirect to fake sites",{"en":400,"jp":401},"XSS embeds malicious scripts in web pages and executes them in the victim's browser. A describes SQL injection, C describes CSRF, and D describes DNS cache poisoning.","XSSはWebページに[悪意]{あくい:malicious}スクリプトを[埋め込み]{うめこみ:embed}、[被害者]{ひがいしゃ:victim}のブラウザで[実行]{じっこう:execute}させる[攻撃]{こうげき:attack}。アはSQLインジェクション、ウはCSRF、エはDNSキャッシュポイズニングの[説明]{せつめい:description}である。",[403,404],"xss","web-attack",{"id":406,"articleId":6,"question":407,"options":410,"correctLabel":231,"explanation":423,"tags":426},"kjh-k2-h01-q09",{"en":408,"jp":409},"Among the four risk response categories, which corresponds to taking out insurance or outsourcing?","リスク[対応]{たいおう:response}の4[分類]{ぶんるい:classifications}のうち、[保険]{ほけん:insurance}への[加入]{かにゅう:joining}やアウトソーシングの[利用]{りよう:use}が[該当]{がいとう:applicable}するものはどれか。",[411,414,417,420],{"label":223,"jp":412,"en":413},"リスク[低減]{ていげん:reduction}","Risk reduction",{"label":227,"jp":415,"en":416},"リスク[回避]{かいひ:avoidance}","Risk avoidance",{"label":231,"jp":418,"en":419},"リスク[移転]{いてん:transfer}","Risk transfer",{"label":235,"jp":421,"en":422},"リスク[保有]{ほゆう:retention}","Risk retention",{"en":424,"jp":425},"Risk transfer shifts risk to a third party via insurance or outsourcing. Reduction means implementing countermeasures, avoidance means discontinuing the activity itself, and retention means accepting the risk.","リスク[移転]{いてん:transfer}は、[保険]{ほけん:insurance}やアウトソーシングなどで[第三者]{だいさんしゃ:third party}にリスクを[移す]{うつす:shift}[対応]{たいおう:response}。[低減]{ていげん:reduction}は[対策]{たいさく:countermeasures}を[講じる]{こうじる:implement}こと、[回避]{かいひ:avoidance}は[活動]{かつどう:activity}[自体]{じたい:itself}を[中止]{ちゅうし:discontinue}すること、[保有]{ほゆう:retention}はリスクを[受容]{じゅよう:accept}することである。",[427],"risk-management",{"id":429,"articleId":430,"question":431,"options":434,"correctLabel":223,"explanation":447,"tags":450},"kjh-k2-h01-q10","kjh-k2-h01-guideline",{"en":432,"jp":433},"Which is the correct order of the PDCA cycle, the central concept of ISMS (JIS Q 27001)?","ISMS（JIS Q 27001）における[中心]{ちゅうしん:central}[概念]{がいねん:concept}であるPDCAサイクルの[順序]{じゅんじょ:order}として[正]{ただ:correct}しいものはどれか。",[435,438,441,444],{"label":223,"jp":436,"en":437},"[計画]{けいかく:plan}→[実行]{じっこう:execute}→[点検]{てんけん:check}→[改善]{かいぜん:improve}","Plan → Do → Check → Act",{"label":227,"jp":439,"en":440},"[計画]{けいかく:plan}→[点検]{てんけん:check}→[実行]{じっこう:execute}→[改善]{かいぜん:improve}","Plan → Check → Do → Act",{"label":231,"jp":442,"en":443},"[実行]{じっこう:execute}→[計画]{けいかく:plan}→[改善]{かいぜん:improve}→[点検]{てんけん:check}","Do → Plan → Act → Check",{"label":235,"jp":445,"en":446},"[点検]{てんけん:check}→[計画]{けいかく:plan}→[実行]{じっこう:execute}→[改善]{かいぜん:improve}","Check → Plan → Do → Act",{"en":448,"jp":449},"PDCA cycles in order: Plan → Do → Check → Act, continuously improving security levels.","PDCAサイクルはPlan（[計画]{けいかく:plan}）→Do（[実行]{じっこう:execute}）→Check（[点検]{てんけん:check}）→Act（[改善]{かいぜん:improve}）の[順]{じゅん:order}で[回す]{まわす:cycle}ことで、セキュリティ[水準]{すいじゅん:level}を[継続的]{けいぞくてき:continuously}に[向上]{こうじょう:improve}させる[考え方]{かんがえかた:concept}である。",[358,451],"PDCA",{"id":453,"articleId":430,"question":454,"options":457,"correctLabel":223,"explanation":470,"tags":473},"kjh-k2-h01-q11",{"en":455,"jp":456},"Which of the Personal Information Protection Act guidelines stipulates safety management measures from four aspects: organizational, human, physical, and technical?","[個人]{こじん:personal}[情報]{じょうほう:information}[保護法]{ほごほう:Protection Act}ガイドラインのうち、[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}を[組織的]{そしきてき:organizational}・[人的]{じんてき:human}・[物理的]{ぶつりてき:physical}・[技術的]{ぎじゅつてき:technical}の4[側面]{そくめん:aspects}から[規定]{きてい:stipulate}するのはどれか。",[458,461,464,467],{"label":223,"jp":459,"en":460},"[通則編]{つうそくへん:general rules volume}","General Rules volume",{"label":227,"jp":462,"en":463},"[外国]{がいこく:foreign}にある[第三者]{だいさんしゃ:third party}への[提供編]{ていきょうへん:provision volume}","Foreign Third-Party Provision volume",{"label":231,"jp":465,"en":466},"[確認]{かくにん:confirmation}・[記録]{きろく:record}[義務編]{ぎむへん:obligation volume}","Confirmation and Record Obligation volume",{"label":235,"jp":468,"en":469},"[仮名]{かめい:pseudonymized}・[匿名]{とくめい:anonymized}[加工]{かこう:processed}[情報編]{じょうほうへん:information volume}","Pseudonymized\u002FAnonymized Information volume",{"en":471,"jp":472},"The PPC Personal Information Protection Act guidelines consist of 4 volumes; the most important is the General Rules volume. Its safety management measures chapter details all four aspects: organizational, human, physical, and technical.","PPCの[個人]{こじん:personal}[情報]{じょうほう:information}[保護法]{ほごほう:Protection Act}ガイドラインは4[巻]{かん:volumes}[構成]{こうせい:composition}で、[最]{もっと:most}も[重要]{じゅうよう:important}なのが[通則編]{つうそくへん:general rules volume}である。[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}の[章]{しょう:chapter}で[組織的]{そしきてき:organizational}・[人的]{じんてき:human}・[物理的]{ぶつりてき:physical}・[技術的]{ぎじゅつてき:technical}の4[側面]{そくめん:aspects}を[詳細]{しょうさい:in detail}に[規定]{きてい:stipulate}している。",[474,475],"guidelines","safety-management",{"id":477,"articleId":430,"question":478,"options":481,"correctLabel":227,"explanation":494,"tags":497},"kjh-k2-h01-q12",{"en":479,"jp":480},"Which organization was established under the Basic Act on Cybersecurity to formulate and promote Japan's cybersecurity strategy?","サイバーセキュリティ[基本法]{きほんほう:Basic Act}に[基づき]{もとづき:based on}[設置]{せっち:established}され、[日本]{にほん:Japan}のサイバーセキュリティ[戦略]{せんりゃく:strategy}の[策定]{さくてい:formulation}・[推進]{すいしん:promotion}を[担う]{になう:undertake}[組織]{そしき:organization}はどれか。",[482,485,488,491],{"label":223,"jp":483,"en":484},"IPA（情報処理推進機構）","IPA (Information-technology Promotion Agency)",{"label":227,"jp":486,"en":487},"NISC（内閣サイバーセキュリティセンター）","NISC (National center of Incident readiness and Strategy for Cybersecurity)",{"label":231,"jp":489,"en":490},"JIPDEC（日本情報経済社会推進協会）","JIPDEC (Japan Institute for Promotion of Digital Economy and Community)",{"label":235,"jp":492,"en":493},"PPC（個人情報保護委員会）","PPC (Personal Information Protection Commission)",{"en":495,"jp":496},"NISC was established under the 2014 Basic Act on Cybersecurity. It coordinates cooperation with ministries and the private sector. JIPDEC is the P-Mark certification body, and PPC is the authority for the Personal Information Protection Act.","2014[年]{ねん:year}[制定]{せいてい:enacted}のサイバーセキュリティ[基本法]{きほんほう:Basic Act}により[設置]{せっち:established}されたのはNISC（[内閣]{ないかく:Cabinet}サイバーセキュリティセンター）。[各]{かく:each}[省庁]{しょうちょう:ministry}や[民間]{みんかん:private sector}との[連携]{れんけい:cooperation}を[調整]{ちょうせい:coordinate}する。JIPDECはPマーク[認証]{にんしょう:certification}[機関]{きかん:body}、PPCは[個人]{こじん:personal}[情報]{じょうほう:information}[保護法]{ほごほう:Protection Act}[所管]{しょかん:jurisdiction}[機関]{きかん:body}である。",[498,499],"cyber-basic-act","NISC",{"id":501,"articleId":430,"question":502,"options":505,"correctLabel":227,"explanation":518,"tags":521},"kjh-k2-h01-q13",{"en":503,"jp":504},"Which of the following correctly describes the scope of use of My Number (specific personal information)?","マイナンバー（[特定]{とくてい:specific}[個人]{こじん:personal}[情報]{じょうほう:information}）の[利用]{りよう:use}[範囲]{はんい:scope}として[正]{ただ:correct}しいものはどれか。",[506,509,512,515],{"label":223,"jp":507,"en":508},"[企業]{きぎょう:company}の[顧客]{こきゃく:customer}[管理]{かんり:management}や[営業]{えいぎょう:sales}[活動]{かつどう:activities}に[幅広く]{はばひろく:broadly}[利用]{りよう:use}できる","Can be widely used for corporate customer management and sales activities",{"label":227,"jp":510,"en":511},"[税]{ぜい:tax}・[社会]{しゃかい:social}[保障]{ほしょう:security}・[災害]{さいがい:disaster}[対策]{たいさく:countermeasures}の3[分野]{ぶんや:fields}に[限定]{げんてい:limited}される","Limited to three fields: tax, social security, and disaster countermeasures",{"label":231,"jp":513,"en":514},"[本人]{ほんにん:the individual}の[同意]{どうい:consent}があればあらゆる[目的]{もくてき:purpose}で[利用]{りよう:use}[可能]{かのう:possible}","May be used for any purpose with the individual's consent",{"label":235,"jp":516,"en":517},"[行政]{ぎょうせい:administrative}[機関]{きかん:body}のみが[利用]{りよう:use}でき、[民間]{みんかん:private sector}[企業]{きぎょう:companies}は[利用]{りよう:use}できない","Only administrative bodies may use it; private companies may not",{"en":519,"jp":520},"My Number use is strictly limited to tax, social security, and disaster countermeasures, and use outside the purpose is prohibited even with the individual's consent. Private companies also use it for tax\u002Fsocial security work such as withholding, so D is incorrect.","マイナンバーの[利用]{りよう:use}[範囲]{はんい:scope}は[税]{ぜい:tax}・[社会]{しゃかい:social}[保障]{ほしょう:security}・[災害]{さいがい:disaster}[対策]{たいさく:countermeasures}に[限定]{げんてい:strictly limited}され、[本人]{ほんにん:the individual}の[同意]{どうい:consent}があっても[目的]{もくてき:purpose}[外]{がい:outside}[利用]{りよう:use}は[原則]{げんそく:in principle}[禁止]{きんし:prohibited}。[民間]{みんかん:private sector}[企業]{きぎょう:companies}も[源泉]{げんせん:withholding}[徴収]{ちょうしゅう:tax collection}など[税]{ぜい:tax}・[社会]{しゃかい:social}[保障]{ほしょう:security}[関連]{かんれん:related}[業務]{ぎょうむ:work}で[利用]{りよう:use}するためエは[誤り]{あやまり:incorrect}。",[522],"my-number"]