[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article:kjh-k2-h01-guideline":3},{"meta":4,"markdown":178,"quiz":179},{"type":5,"articleId":6,"slug":6,"title":7,"titleEn":8,"category":9,"order":10,"seriesLabel":11,"summary":12,"publishedAt":13,"image":14,"tags":15,"vocabulary":19,"quizId":174,"source":175},"article","kjh-k2-h01-guideline","課題Ⅱ 第１編② セキュリティ対策基準とガイドライン","Security standards and guidelines","kojin-joho-hogo\u002Fkadai-2",2012,"課題Ⅱ 第１編②","Covers ISMS (JIS Q 27001\u002F27002) with PDCA, risk assessment, and SoA; PPC guidelines (4 volumes); My Number guidelines; Cybersecurity Basic Act and 14 critical infrastructure sectors; trade secret 3 requirements; Unauthorized Access Prohibition Act; telecommunications\u002Femail\u002Fcriminal code provisions; NIST CSF 5 functions; ISO 27000 family; and ISMS vs Privacy Mark comparison.","2026-04-26T00:00:00Z","https:\u002F\u002Fimages.yamiyomi.com\u002Fkjh-k2-h01-guideline.png",[16,17,18],"exam:個人情報保護士","topic:情報セキュリティ","topic:ガイドライン",[20,25,30,34,38,42,46,50,54,58,62,66,70,74,78,82,86,90,94,98,102,106,110,114,118,122,126,130,134,138,142,146,150,154,158,162,166,170],{"word":21,"reading":22,"meaning":23,"level":24},"規格","きかく","standard, specification","N2",{"word":26,"reading":27,"meaning":28,"level":29},"法令","ほうれい","laws and regulations","N1",{"word":31,"reading":32,"meaning":33,"level":29},"体系的","たいけいてき","systematic",{"word":35,"reading":36,"meaning":37,"level":29},"管理策","かんりさく","control measures",{"word":39,"reading":40,"meaning":41,"level":24},"認証","にんしょう","certification, authentication",{"word":43,"reading":44,"meaning":45,"level":29},"適用範囲","てきようはんい","scope of application",{"word":47,"reading":48,"meaning":49,"level":29},"脆弱性","ぜいじゃくせい","vulnerability",{"word":51,"reading":52,"meaning":53,"level":29},"附属書","ふぞくしょ","annex",{"word":55,"reading":56,"meaning":57,"level":29},"宣言書","せんげんしょ","statement, declaration",{"word":59,"reading":60,"meaning":61,"level":29},"通則編","つうそくへん","general rules volume",{"word":63,"reading":64,"meaning":65,"level":29},"軽減措置","けいげんそち","reduced measures",{"word":67,"reading":68,"meaning":69,"level":29},"十分性認定","じゅうぶんせいにんてい","adequacy recognition",{"word":71,"reading":72,"meaning":73,"level":29},"仮名加工情報","かめいかこうじょうほう","pseudonymized information",{"word":75,"reading":76,"meaning":77,"level":29},"匿名加工情報","とくめいかこうじょうほう","anonymized information",{"word":79,"reading":80,"meaning":81,"level":29},"拘束力","こうそくりょく","binding force",{"word":83,"reading":84,"meaning":85,"level":29},"特定個人情報","とくていこじんじょうほう","specific personal information (My Number)",{"word":87,"reading":88,"meaning":89,"level":29},"重要インフラ","じゅうようインフラ","critical infrastructure",{"word":91,"reading":92,"meaning":93,"level":29},"営業秘密","えいぎょうひみつ","trade secret",{"word":95,"reading":96,"meaning":97,"level":29},"秘密管理性","ひみつかんりせい","secrecy management",{"word":99,"reading":100,"meaning":101,"level":29},"有用性","ゆうようせい","usefulness",{"word":103,"reading":104,"meaning":105,"level":29},"非公知性","ひこうちせい","non-public knowledge",{"word":107,"reading":108,"meaning":109,"level":29},"差止請求","さしとめせいきゅう","injunction claim",{"word":111,"reading":112,"meaning":113,"level":29},"損害賠償","そんがいばいしょう","damages, compensation",{"word":115,"reading":116,"meaning":117,"level":29},"助長","じょちょう","facilitation, promotion",{"word":119,"reading":120,"meaning":121,"level":29},"懲役","ちょうえき","imprisonment",{"word":123,"reading":124,"meaning":125,"level":24},"罰金","ばっきん","fine",{"word":127,"reading":128,"meaning":129,"level":29},"通信の秘密","つうしんのひみつ","secrecy of communications",{"word":131,"reading":132,"meaning":133,"level":29},"不正指令電磁的記録","ふせいしれいでんじてききろく","wrongful electromagnetic record commands",{"word":135,"reading":136,"meaning":137,"level":29},"識別","しきべつ","identification",{"word":139,"reading":140,"meaning":141,"level":29},"防御","ぼうぎょ","defense, protection",{"word":143,"reading":144,"meaning":145,"level":29},"復旧","ふっきゅう","recovery, restoration",{"word":147,"reading":148,"meaning":149,"level":24},"枠組み","わくぐみ","framework",{"word":151,"reading":152,"meaning":153,"level":29},"混同","こんどう","confusion, mix-up",{"word":155,"reading":156,"meaning":157,"level":29},"推進協会","すいしんきょうかい","promotion association",{"word":159,"reading":160,"meaning":161,"level":29},"策定","さくてい","formulation",{"word":163,"reading":164,"meaning":165,"level":29},"責務","せきむ","responsibility, duty",{"word":167,"reading":168,"meaning":169,"level":29},"頻出","ひんしゅつ","frequently appearing",{"word":171,"reading":172,"meaning":173,"level":29},"包括的","ほうかつてき","comprehensive","kjh-k2-h01-quiz",{"name":176,"url":177},"個人情報保護士試験対策","https:\u002F\u002Fwww.joho-gakushu.or.jp\u002Fpiip\u002F","\n::para\nISMS（[情報]{じょうほう:information:N3}セキュリティマネジメントシステム）とは、[組織]{そしき:organization:N1}が[保有]{ほゆう:possess:N1}する[情報]{じょうほう:information:N3}[資産]{しさん:assets:N3}を[体系的]{たいけいてき:systematic:N1}に[守る]{まもる:protect:N3}ための[管理]{かんり:management:N2}の[仕組み]{しくみ:mechanism:N3}である。JIS Q 27001はISO\u002FIEC 27001の[日本語]{にほんご:Japanese:N5}[版]{ばん:version:N2}であり、ISMSの[要求]{ようきゅう:requirements:N3}[事項]{じこう:matters:N1}を[規定]{きてい:stipulate:N3}する。[中心]{ちゅうしん:center:N4}となる[考え方]{かんがえかた:concept:N4}はPDCAサイクル（Plan-Do-Check-Act）であり、[計画]{けいかく:plan:N4}→[実行]{じっこう:execute:N3}→[点検]{てんけん:check:N1}→[改善]{かいぜん:improve:N1}を[繰り返す]{くりかえす:repeat:N1}ことで[継続的]{けいぞくてき:continuous:N1}にセキュリティ[水準]{すいじゅん:level:N2}を[向上]{こうじょう:improve:N3}させる。ISMSは[技術的]{ぎじゅつてき:technical:N2}[対策]{たいさく:countermeasure:N1}だけでなく、[組織]{そしき:organization:N1}の[方針]{ほうしん:policy:N2}、[人的]{じんてき:human:N4}[管理]{かんり:management:N2}、[物理的]{ぶつりてき:physical:N4}セキュリティまで[含む]{ふくむ:include:N2}[包括的]{ほうかつてき:comprehensive:N1}な[枠組み]{わくぐみ:framework:N1}である。\n\n#en\nISMS (Information Security Management System) is a systematic management mechanism for protecting the information assets held by an organization. JIS Q 27001 is the Japanese version of ISO\u002FIEC 27001 and stipulates the requirements for ISMS. The central concept is the PDCA cycle (Plan-Do-Check-Act), which continuously improves the security level by repeating plan, execute, check, and improve. ISMS is a comprehensive framework that covers not only technical countermeasures but also organizational policy, human management, and physical security.\n::\n\n::heading\nISMSの[適用]{てきよう:application:N3}[範囲]{はんい:scope:N1}とリスクアセスメント\n\n#en\nISMS scope and risk assessment\n::\n\n::para\nISMSの[適用]{てきよう:application:N3}[範囲]{はんい:scope:N1}は[組織]{そしき:organization:N1}が[自]{みずか:self:N4}ら[定める]{さだめる:determine:N3}。どの[業務]{ぎょうむ:business operations:N3}、どの[拠点]{きょてん:location:N1}、どの[情報]{じょうほう:information:N3}[資産]{しさん:assets:N3}を[対象]{たいしょう:subject:N2}にするかを[明確]{めいかく:clearly:N3}にした[上]{うえ:upon:N5}で、リスクアセスメントを[実施]{じっし:implement:N1}する。リスクアセスメントの[手順]{てじゅん:procedure:N2}は（1）[情報]{じょうほう:information:N3}[資産]{しさん:assets:N3}の[洗い出し]{あらいだし:identification:N3}、（2）[脅威]{きょうい:threats:N1}の[特定]{とくてい:identification:N3}、（3）[脆弱性]{ぜいじゃくせい:vulnerabilities:N1}の[評価]{ひょうか:assessment:N1}、（4）リスク[値]{ち:value:N3}の[算定]{さんてい:calculation:N2}、（5）[管理策]{かんりさく:controls:N1}の[選択]{せんたく:selection:N1}である。[選択]{せんたく:selected:N1}した[管理策]{かんりさく:controls:N1}は「[適用]{てきよう:applicability:N3}[宣言書]{せんげんしょ:statement:N1}（SoA）」に[文書化]{ぶんしょか:document:N3}し、[附属書]{ふぞくしょ:annex:N1}Aの[管理策]{かんりさく:controls:N1}との[対応]{たいおう:correspondence:N1}[関係]{かんけい:relationship:N3}を[明示]{めいじ:clearly indicate:N3}する。\n\n#en\nThe scope of ISMS is determined by the organization itself. After clarifying which operations, locations, and information assets are covered, a risk assessment is conducted. The risk assessment procedure is: (1) identify information assets, (2) identify threats, (3) assess vulnerabilities, (4) calculate risk values, and (5) select controls. Selected controls are documented in a Statement of Applicability (SoA), which clearly maps their correspondence to the controls in Annex A.\n::\n\n::heading\nISMS[認証]{にんしょう:certification:N1}とJIS Q 27002\n\n#en\nISMS certification and JIS Q 27002\n::\n\n::para\nISMS[認証]{にんしょう:certification:N1}は、[認定]{にんてい:accredited:N3}を[受けた]{うけた:received:N3}[審査]{しんさ:audit:N1}[機関]{きかん:body:N3}（[認証]{にんしょう:certification:N1}[機関]{きかん:body:N3}）が[行う]{おこなう:conduct:N5}。[認証]{にんしょう:certification:N1}の[有効]{ゆうこう:validity:N2}[期間]{きかん:period:N3}は3[年]{ねん:years:N5}であり、[毎年]{まいとし:annually:N5}[維持]{いじ:maintenance:N1}[審査]{しんさ:audit:N1}（サーベイランス[審査]{しんさ:audit:N1}）を[受ける]{うける:undergo:N3}。3[年]{ねん:years:N5}[後]{ご:after:N5}に[更新]{こうしん:renewal:N3}[審査]{しんさ:audit:N1}を[通過]{つうか:pass:N3}すれば[認証]{にんしょう:certification:N1}は[継続]{けいぞく:continue:N1}される。JIS Q 27002（ISO\u002FIEC 27002）は[管理策]{かんりさく:controls:N1}の[実装]{じっそう:implementation:N2}ガイダンスであり、2022[年]{ねん:year:N5}[改訂]{かいてい:revision:N1}で[管理策]{かんりさく:controls:N1}は4つのテーマ（[組織的]{そしきてき:organizational:N1}、[人的]{じんてき:people:N4}、[物理的]{ぶつりてき:physical:N4}、[技術的]{ぎじゅつてき:technological:N2}）に[再編]{さいへん:reorganized:N2}された。\n\n#en\nISMS certification is conducted by accredited audit bodies (certification bodies). The certification validity period is 3 years, with annual surveillance audits. If the renewal audit is passed after 3 years, certification continues. JIS Q 27002 (ISO\u002FIEC 27002) is implementation guidance for controls, and in the 2022 revision, controls were reorganized into 4 themes: organizational, people, physical, and technological.\n::\n\n::heading\n[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}[保護法]{ほごほう:Protection Act:N1}ガイドライン：[通則編]{つうそくへん:general rules volume:N2}\n\n#en\nPersonal Information Protection Act guidelines: General Rules volume\n::\n\n::para\n[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}[保護]{ほご:protection:N1}[委員会]{いいんかい:commission:N2}（PPC）が[策定]{さくてい:formulate:N1}する[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}[保護法]{ほごほう:Protection Act:N1}ガイドラインは4[巻]{かん:volumes:N2}[構成]{こうせい:structure:N3}である。[最]{もっと:most:N3}も[重要]{じゅうよう:important:N3}なのが[通則編]{つうそくへん:general rules volume:N2}であり、[取得]{しゅとく:acquisition:N3}・[利用]{りよう:use:N3}・[保管]{ほかん:storage:N1}・[提供]{ていきょう:provision:N1}・[開示]{かいじ:disclosure:N3}[請求]{せいきゅう:request:N1}など[全般]{ぜんぱん:general:N2}[的]{てき:-ical:N4}な[規律]{きりつ:rules:N2}を[網羅]{もうら:comprehensively cover:N1}する。[特]{とく:particularly:N4}に「[安全]{あんぜん:safety:N3}[管理]{かんり:management:N2}[措置]{そち:measures:N1}」の[章]{しょう:chapter:N2}は[詳細]{しょうさい:detailed:N1}であり、[組織的]{そしきてき:organizational:N1}・[人的]{じんてき:human:N4}・[物理的]{ぶつりてき:physical:N4}・[技術的]{ぎじゅつてき:technical:N2}の4[側面]{そくめん:aspects:N3}から[具体的]{ぐたいてき:specific:N3}な[対策]{たいさく:measures:N1}を[求める]{もとめる:require:N3}。さらに[中小]{ちゅうしょう:small and medium:N5}[規模]{きぼ:scale:N1}[事業者]{じぎょうしゃ:business operators:N4}には[軽減]{けいげん:reduction:N2}[措置]{そち:measures:N1}（[手法]{しゅほう:method:N3}の[簡略化]{かんりゃくか:simplification:N2}）が[認められて]{みとめられて:permitted:N3}おり、[従業員]{じゅうぎょういん:employees:N1}100[人]{にん:persons:N5}[以下]{いか:or fewer:N4}の[事業者]{じぎょうしゃ:operators:N4}が[対象]{たいしょう:subject:N2}となることが[多い]{おおい:common:N4}。\n\n#en\nThe Personal Information Protection Commission (PPC) formulates the Personal Information Protection Act guidelines, which consist of 4 volumes. The most important is the General Rules volume, which comprehensively covers rules on acquisition, use, storage, provision, and disclosure requests. The chapter on \"safety management measures\" is particularly detailed, requiring specific measures from 4 aspects: organizational, human, physical, and technical. Furthermore, reduced measures (simplified methods) are permitted for small and medium-scale business operators, commonly those with 100 or fewer employees.\n::\n\n::heading\n[残り]{のこり:remaining:N3}3[巻]{かん:volumes:N2}：[外国]{がいこく:foreign:N5}[提供]{ていきょう:provision:N1}・[確認]{かくにん:confirmation:N3}[記録]{きろく:record:N2}・[仮名]{かめい:pseudonymized:N1}[匿名]{とくめい:anonymized:N1}[加工]{かこう:processing:N3}\n\n#en\nRemaining 3 volumes: foreign provision, confirmation\u002Frecord, pseudonymized\u002Fanonymized processing\n::\n\n::para\n[外国]{がいこく:foreign:N5}にある[第三者]{だいさんしゃ:third party:N1}への[提供編]{ていきょうへん:provision volume:N1}は、[個人]{こじん:personal:N2}データを[海外]{かいがい:overseas:N4}の[第三者]{だいさんしゃ:third party:N1}に[移転]{いてん:transfer:N2}する[際]{さい:when:N3}のルールを[定める]{さだめる:establish:N3}。[本人]{ほんにん:the individual:N5}の[同意]{どうい:consent:N4}を[原則]{げんそく:in principle:N2}とし、[移転]{いてん:transfer:N2}[先]{さき:destination:N5}の[国]{くに:country:N5}の[制度]{せいど:system:N3}が[日本]{にほん:Japan:N5}と[同等]{どうとう:equivalent:N3}[水準]{すいじゅん:level:N2}か（[十分性]{じゅうぶんせい:adequacy:N3}[認定]{にんてい:recognition:N3}）、または[移転]{いてん:transfer:N2}[先]{さき:destination:N5}が[適切]{てきせつ:appropriate:N3}な[体制]{たいせい:structure:N3}を[整備]{せいび:maintain:N1}しているかを[確認]{かくにん:confirm:N3}する。[第三者]{だいさんしゃ:third party:N1}[提供]{ていきょう:provision:N1}[時]{じ:at the time of:N5}の[確認]{かくにん:confirmation:N3}・[記録]{きろく:record:N2}[義務編]{ぎむへん:obligation volume:N1}は、[個人]{こじん:personal:N2}データの[流通]{りゅうつう:circulation:N3}[経路]{けいろ:route:N3}を[追跡]{ついせき:trace:N2}[可能]{かのう:possible:N3}にするためのトレーサビリティ[要件]{ようけん:requirements:N3}を[規定]{きてい:stipulate:N3}する。[仮名]{かめい:pseudonymized:N1}[加工]{かこう:processed:N3}[情報]{じょうほう:information:N3}・[匿名]{とくめい:anonymized:N1}[加工]{かこう:processed:N3}[情報編]{じょうほうへん:information volume:N2}は、それぞれの[加工]{かこう:processing:N3}[基準]{きじゅん:standards:N1}と[取扱い]{とりあつかい:handling:N1}[義務]{ぎむ:obligations:N1}を[定める]{さだめる:establish:N3}。[仮名]{かめい:pseudonymized:N1}[加工]{かこう:processed:N3}[情報]{じょうほう:information:N3}は[内部]{ないぶ:internal:N3}[分析]{ぶんせき:analysis:N1}[用途]{ようと:purpose:N3}に[限定]{げんてい:limited:N3}され、[第三者]{だいさんしゃ:third party:N1}[提供]{ていきょう:provision:N1}は[原則]{げんそく:in principle:N2}[禁止]{きんし:prohibited:N2}である。\n\n#en\nThe Foreign Third-Party Provision volume establishes rules for transferring personal data to third parties overseas. It requires consent from the individual in principle, and confirmation that the destination country's system is at an equivalent level to Japan's (adequacy recognition) or that the recipient maintains an appropriate structure. The Confirmation and Record Obligation volume stipulates traceability requirements to make the circulation routes of personal data traceable. The Pseudonymized\u002FAnonymized Information volume establishes the processing standards and handling obligations for each. Pseudonymized information is limited to internal analysis purposes, and third-party provision is prohibited in principle.\n::\n\n::heading\nガイドラインの[法的]{ほうてき:legal:N3}[性質]{せいしつ:nature:N3}\n\n#en\nLegal nature of guidelines\n::\n\n::para\nガイドラインは[法律]{ほうりつ:law:N2}そのものではないが、[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}[保護]{ほご:protection:N1}[委員会]{いいんかい:commission:N2}（PPC）はガイドラインを[基準]{きじゅん:standard:N1}として[指導]{しどう:guidance:N2}・[勧告]{かんこく:recommendation:N1}・[命令]{めいれい:order:N2}を[行う]{おこなう:issue:N5}。[事業者]{じぎょうしゃ:business operators:N4}がガイドラインに[違反]{いはん:violate:N3}した[場合]{ばあい:case:N3}、PPCは[改善]{かいぜん:improvement:N1}[命令]{めいれい:order:N2}を[出す]{だす:issue:N5}ことができ、[命令]{めいれい:order:N2}に[従わない]{したがわない:not comply:N1}と[罰則]{ばっそく:penalties:N1}が[科される]{かされる:imposed:N3}。したがって、ガイドラインは[事実上]{じじつじょう:de facto:N3}[法的]{ほうてき:legal:N3}[拘束力]{こうそくりょく:binding force:N1}を[持つ]{もつ:have:N4}。\n\n#en\nGuidelines are not law themselves, but the Personal Information Protection Commission (PPC) uses them as the basis for issuing guidance, recommendations, and orders. If a business operator violates the guidelines, the PPC can issue an improvement order, and penalties are imposed for non-compliance. Therefore, guidelines have de facto legal binding force.\n::\n\n::heading\n[特定]{とくてい:specific:N3}[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}ガイドライン（マイナンバー）\n\n#en\nSpecific Personal Information guidelines (My Number)\n::\n\n::para\n[特定]{とくてい:specific:N3}[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}（マイナンバーを[含む]{ふくむ:include:N2}[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}）については、[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}[保護]{ほご:protection:N1}[委員会]{いいんかい:commission:N2}が[別途]{べっと:separately:N3}「[特定]{とくてい:specific:N3}[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}の[適正]{てきせい:proper:N3}な[取扱い]{とりあつかい:handling:N1}に[関する]{かんする:regarding:N3}ガイドライン」を[公表]{こうひょう:publish:N3}している。マイナンバーの[利用]{りよう:use:N3}[範囲]{はんい:scope:N1}は[税]{ぜい:tax:N2}・[社会]{しゃかい:social:N4}[保障]{ほしょう:security:N1}・[災害]{さいがい:disaster:N1}[対策]{たいさく:countermeasures:N1}に[限定]{げんてい:limited:N3}されており、[通常]{つうじょう:ordinary:N3}の[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}より[厳格]{げんかく:strict:N1}な[安全]{あんぜん:safety:N3}[管理]{かんり:management:N2}[措置]{そち:measures:N1}が[義務]{ぎむ:obligation:N1}づけられる。[収集]{しゅうしゅう:collection:N3}・[保管]{ほかん:storage:N1}の[制限]{せいげん:restrictions:N3}も[厳しく]{きびしく:strictly:N1}、[目的]{もくてき:purpose:N4}[外]{がい:outside:N5}の[利用]{りよう:use:N3}・[提供]{ていきょう:provision:N1}は[原則]{げんそく:in principle:N2}[禁止]{きんし:prohibited:N2}される。\n\n#en\nFor specific personal information (personal information containing My Number), the Personal Information Protection Commission separately publishes \"Guidelines on the Proper Handling of Specific Personal Information.\" The scope of My Number use is limited to tax, social security, and disaster countermeasures, and stricter safety management measures are mandated than for ordinary personal information. Restrictions on collection and storage are also strict, and use or provision outside the designated purpose is prohibited in principle.\n::\n\n::heading\nサイバーセキュリティ[基本法]{きほんほう:Basic Act:N1}とNISC\n\n#en\nBasic Act on Cybersecurity and NISC\n::\n\n::para\nサイバーセキュリティ[基本法]{きほんほう:Basic Act:N1}は2014[年]{ねん:year:N5}に[制定]{せいてい:enacted:N3}され、[日本]{にほん:Japan:N5}のサイバーセキュリティ[戦略]{せんりゃく:strategy:N2}の[基本]{きほん:basic:N1}[理念]{りねん:philosophy:N3}と[国]{くに:state:N5}の[責務]{せきむ:responsibilities:N3}を[明確化]{めいかくか:clarify:N3}した。この[法律]{ほうりつ:law:N2}により[内閣]{ないかく:Cabinet:N1}サイバーセキュリティセンター（NISC：National center of Incident readiness and Strategy for Cybersecurity）が[設置]{せっち:established:N2}された。NISCは[各]{かく:each:N2}[省庁]{しょうちょう:ministry:N2}や[民間]{みんかん:private sector:N3}との[連携]{れんけい:cooperation:N1}を[調整]{ちょうせい:coordinate:N1}し、サイバーセキュリティ[戦略]{せんりゃく:strategy:N2}の[策定]{さくてい:formulation:N1}と[推進]{すいしん:promotion:N1}を[担う]{になう:undertake:N2}。\n\n#en\nThe Basic Act on Cybersecurity was enacted in 2014 and clarified the basic philosophy of Japan's cybersecurity strategy and the responsibilities of the state. Under this law, the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established. NISC coordinates cooperation with each ministry and the private sector and undertakes the formulation and promotion of the cybersecurity strategy.\n::\n\n::heading\n[重要]{じゅうよう:critical:N3}インフラ14[分野]{ぶんや:sectors:N4}\n\n#en\nThe 14 critical infrastructure sectors\n::\n\n::para\nサイバーセキュリティ[基本法]{きほんほう:Basic Act:N1}の[重要]{じゅうよう:important:N3}な[柱]{はしら:pillar:N2}が[重要]{じゅうよう:critical:N3}インフラ[防護]{ぼうご:protection:N1}である。[政府]{せいふ:government:N2}は[以下]{いか:the following:N4}の14[分野]{ぶんや:sectors:N4}を[重要]{じゅうよう:critical:N3}インフラとして[指定]{してい:designate:N3}している：[情報]{じょうほう:information:N3}[通信]{つうしん:communication:N3}、[金融]{きんゆう:finance:N1}、[航空]{こうくう:aviation:N2}、[空港]{くうこう:airport:N3}、[鉄道]{てつどう:railway:N2}、[電力]{でんりょく:electric power:N4}、ガス、[政府]{せいふ:government:N2}・[行政]{ぎょうせい:administration:N3}サービス、[医療]{いりょう:medical:N2}、[水道]{すいどう:water supply:N4}、[物流]{ぶつりゅう:logistics:N3}、[化学]{かがく:chemical:N3}、クレジット、[石油]{せきゆ:petroleum:N2}。これらの[分野]{ぶんや:sectors:N4}では[事業者]{じぎょうしゃ:operators:N4}にサイバーセキュリティ[対策]{たいさく:measures:N1}の[強化]{きょうか:strengthening:N3}が[求められて]{もとめられて:required:N3}いる。\n\n#en\nAn important pillar of the Basic Act on Cybersecurity is critical infrastructure protection. The government designates the following 14 sectors as critical infrastructure: information and communication, finance, aviation, airports, railways, electric power, gas, government and administrative services, medical, water supply, logistics, chemical, credit, and petroleum. Operators in these sectors are required to strengthen their cybersecurity measures.\n::\n\n::heading\n[不正]{ふせい:unfair:N4}[競争]{きょうそう:competition:N2}[防止法]{ぼうしほう:Prevention Act:N2}：[営業]{えいぎょう:trade:N2}[秘密]{ひみつ:secret:N1}の3[要件]{ようけん:requirements:N3}\n\n#en\nUnfair Competition Prevention Act: 3 requirements for trade secrets\n::\n\n::para\n[不正]{ふせい:unfair:N4}[競争]{きょうそう:competition:N2}[防止法]{ぼうしほう:Prevention Act:N2}は[営業]{えいぎょう:business:N2}[秘密]{ひみつ:secret:N1}の[保護]{ほご:protection:N1}を[規定]{きてい:stipulate:N3}する。[試験]{しけん:exam:N4}では[営業]{えいぎょう:trade:N2}[秘密]{ひみつ:secret:N1}の3[要件]{ようけん:requirements:N3}が[極めて]{きわめて:extremely:N2}[頻出]{ひんしゅつ:frequently tested:N1}である。（1）[秘密]{ひみつ:secret:N1}[管理性]{かんりせい:manageability:N2}：[秘密]{ひみつ:confidential:N1}として[管理]{かんり:managed:N2}されていること（「[社外秘]{しゃがいひ:confidential:N1}」[表示]{ひょうじ:marking:N3}、アクセス[制限]{せいげん:restriction:N3}、[施錠]{せじょう:locking:N1}[保管]{ほかん:storage:N1}など）。（2）[有用性]{ゆうようせい:usefulness:N3}：[事業]{じぎょう:business:N4}[活動]{かつどう:activities:N3}に[有用]{ゆうよう:useful:N4}な[情報]{じょうほう:information:N3}であること（[顧客]{こきゃく:customer:N1}[名簿]{めいぼ:list:N1}、[製造]{せいぞう:manufacturing:N1}[技術]{ぎじゅつ:technique:N2}、[販売]{はんばい:sales:N2}[戦略]{せんりゃく:strategy:N2}など）。（3）[非]{ひ:non-:N3}[公知性]{こうちせい:public knowledge:N3}：[一般]{いっぱん:general:N2}に[知られて]{しられて:known:N4}いないこと。\n\n#en\nThe Unfair Competition Prevention Act stipulates the protection of trade secrets. The 3 requirements for trade secrets are extremely frequently tested on the exam. (1) Secrecy management: the information is managed as confidential (marked \"confidential,\" access restricted, stored under lock, etc.). (2) Usefulness: the information is useful for business activities (customer lists, manufacturing techniques, sales strategies, etc.). (3) Non-public knowledge: the information is not generally known.\n::\n\n::heading\n[侵害]{しんがい:infringement:N1}[行為]{こうい:acts:N1}と[救済]{きゅうさい:remedies:N1}[手段]{しゅだん:means:N3}\n\n#en\nInfringement acts and remedies\n::\n\n::para\n[営業]{えいぎょう:trade:N2}[秘密]{ひみつ:secret:N1}の[侵害]{しんがい:infringement:N1}[行為]{こうい:acts:N1}には、[不正]{ふせい:wrongful:N4}[取得]{しゅとく:acquisition:N3}（[窃取]{せっしゅ:theft:N1}・[詐欺]{さぎ:fraud:N1}・[脅迫]{きょうはく:coercion:N1}など）、[不正]{ふせい:wrongful:N4}[使用]{しよう:use:N4}、[不正]{ふせい:wrongful:N4}[開示]{かいじ:disclosure:N3}がある。[被害者]{ひがいしゃ:victim:N2}は[差止]{さしとめ:injunction:N3}[請求]{せいきゅう:claim:N1}（[侵害]{しんがい:infringement:N1}[行為]{こうい:acts:N1}の[停止]{ていし:cessation:N2}）、[損害]{そんがい:damages:N2}[賠償]{ばいしょう:compensation:N1}[請求]{せいきゅう:claim:N1}を[行える]{おこなえる:can file:N5}。また、[悪質]{あくしつ:malicious:N4}な[場合]{ばあい:case:N3}は[刑事]{けいじ:criminal:N1}[罰]{ばつ:penalty:N1}（10[年]{ねん:years:N5}[以下]{いか:or less:N4}の[懲役]{ちょうえき:imprisonment:N1}[等]{とう:etc.:N3}）の[対象]{たいしょう:subject:N2}ともなる。\n\n#en\nActs of trade secret infringement include wrongful acquisition (theft, fraud, coercion, etc.), wrongful use, and wrongful disclosure. Victims can file injunction claims (cessation of infringing acts) and claims for damages. In malicious cases, criminal penalties (imprisonment of 10 years or less, etc.) may also apply.\n::\n\n::heading\n[不正]{ふせい:unauthorized:N4}アクセス[禁止法]{きんしほう:Prohibition Act:N2}\n\n#en\nUnauthorized Computer Access Prohibition Act\n::\n\n::para\n[不正]{ふせい:unauthorized:N4}アクセス[禁止法]{きんしほう:Prohibition Act:N2}は、コンピュータへの[不正]{ふせい:unauthorized:N4}な[侵入]{しんにゅう:intrusion:N1}を[処罰]{しょばつ:punish:N1}する[法律]{ほうりつ:law:N2}である。[不正]{ふせい:unauthorized:N4}アクセス[行為]{こうい:acts:N1}とは、（a）[他人]{たにん:another person:N3}のID・パスワードを[無断]{むだん:without permission:N3}で[使用]{しよう:use:N4}する[行為]{こうい:act:N1}、（b）セキュリティホールを[攻撃]{こうげき:attack:N1}する[行為]{こうい:act:N1}、（c）[他人]{たにん:another person:N3}の[認証]{にんしょう:authentication:N1}[情報]{じょうほう:information:N3}を[無権限]{むけんげん:without authorization:N3}で[利用]{りよう:use:N3}する[行為]{こうい:act:N1}を[指す]{さす:refer to:N3}。[禁止]{きんし:prohibited:N2}される[行為]{こうい:acts:N1}は[不正]{ふせい:unauthorized:N4}アクセス[行為]{こうい:act:N1}[自体]{じたい:itself:N4}に[加え]{くわえ:in addition to:N3}、[他人]{たにん:another person:N3}のID[等]{とう:etc.:N3}の[不正]{ふせい:wrongful:N4}[取得]{しゅとく:acquisition:N3}、[不正]{ふせい:wrongful:N4}アクセスを[助長]{じょちょう:facilitate:N3}する[行為]{こうい:act:N1}（パスワードの[売買]{ばいばい:selling\u002Fbuying:N4}・[提供]{ていきょう:provision:N1}）、フィッシング[行為]{こうい:act:N1}が[含まれる]{ふくまれる:included:N2}。[罰則]{ばっそく:penalties:N1}は3[年]{ねん:years:N5}[以下]{いか:or less:N4}の[懲役]{ちょうえき:imprisonment:N1}または100[万]{まん:10,000:N5}[円]{えん:yen:N5}[以下]{いか:or less:N4}の[罰金]{ばっきん:fine:N1}である。\n\n#en\nThe Unauthorized Computer Access Prohibition Act is a law that punishes unauthorized intrusion into computers. Unauthorized access acts refer to: (a) using another person's ID\u002Fpassword without permission, (b) exploiting security holes, and (c) using another person's authentication information without authorization. Prohibited acts include, in addition to unauthorized access itself, wrongful acquisition of another person's IDs, acts facilitating unauthorized access (selling\u002Fsharing passwords), and phishing. Penalties are imprisonment of 3 years or less, or a fine of 1 million yen or less.\n::\n\n::heading\nその[他]{た:other:N3}の[関連]{かんれん:related:N3}[法規]{ほうき:laws:N3}\n\n#en\nOther related laws\n::\n\n::para\n[電気]{でんき:electric:N5}[通信]{つうしん:communication:N3}[事業法]{じぎょうほう:Business Act:N3}[第]{だい:Article:N1}4[条]{じょう:article:N1}は「[通信]{つうしん:communication:N3}の[秘密]{ひみつ:secrecy:N1}」を[保障]{ほしょう:guarantee:N1}しており、[電気]{でんき:electric:N5}[通信]{つうしん:communication:N3}[事業者]{じぎょうしゃ:operators:N4}は[利用者]{りようしゃ:users:N3}の[通信]{つうしん:communication:N3}[内容]{ないよう:content:N3}を[守る]{まもる:protect:N3}[義務]{ぎむ:obligation:N1}を[負う]{おう:bear:N3}。[特定]{とくてい:specific:N3}[電子]{でんし:electronic:N5}メール[法]{ほう:Act:N3}は、[商業]{しょうぎょう:commercial:N3}メールの[送信]{そうしん:sending:N3}にオプトイン（[事前]{じぜん:prior:N4}[同意]{どうい:consent:N4}）を[義務]{ぎむ:obligation:N1}づける。[刑法]{けいほう:Criminal Code:N1}の「[不正]{ふせい:wrongful:N4}[指令]{しれい:command:N2}[電磁的]{でんじてき:electromagnetic:N1}[記録]{きろく:record:N2}」[罪]{ざい:crime:N3}は、コンピュータウイルスの[作成]{さくせい:creation:N3}・[配布]{はいふ:distribution:N2}・[供用]{きょうよう:provision for use:N3}を[犯罪]{はんざい:crime:N3}として[処罰]{しょばつ:punish:N1}する。\n\n#en\nArticle 4 of the Telecommunications Business Act guarantees \"secrecy of communications,\" and telecommunications operators bear the obligation to protect users' communication content. The Act on Regulation of Transmission of Specified Electronic Mail mandates opt-in (prior consent) for sending commercial emails. The Criminal Code's \"wrongful electromagnetic record commands\" crime punishes the creation, distribution, and provision for use of computer viruses.\n::\n\n::heading\nNISTサイバーセキュリティフレームワーク\n\n#en\nNIST Cybersecurity Framework\n::\n\n::para\nアメリカの[国立]{こくりつ:national:N4}[標準]{ひょうじゅん:standard:N1}[技術]{ぎじゅつ:technology:N2}[研究所]{けんきゅうじょ:research institute:N3}（NIST）が[策定]{さくてい:formulate:N1}したサイバーセキュリティフレームワーク（CSF）は、[世界的]{せかいてき:worldwide:N4}に[広く]{ひろく:widely:N4}[採用]{さいよう:adopted:N2}されている。CSFは5つの[機能]{きのう:functions:N3}で[構成]{こうせい:composed:N3}される：「[識別]{しきべつ:Identify:N3}」（[資産]{しさん:assets:N3}・リスクの[把握]{はあく:grasp:N1}）、「[防御]{ぼうぎょ:Protect:N2}」（[保護]{ほご:protection:N1}[策]{さく:measures:N1}の[実装]{じっそう:implementation:N2}）、「[検知]{けんち:Detect:N1}」（[異常]{いじょう:anomaly:N1}の[発見]{はっけん:discovery:N4}）、「[対応]{たいおう:Respond:N1}」（インシデント[対処]{たいしょ:handling:N3}）、「[復旧]{ふっきゅう:Recover:N2}」（[通常]{つうじょう:normal:N3}[状態]{じょうたい:state:N1}への[回復]{かいふく:recovery:N2}）。[日本]{にほん:Japan:N5}の[多く]{おおく:many:N4}の[組織]{そしき:organizations:N1}もNIST CSFを[参考]{さんこう:reference:N3}にしている。\n\n#en\nThe Cybersecurity Framework (CSF) formulated by the U.S. National Institute of Standards and Technology (NIST) is widely adopted worldwide. CSF consists of 5 functions: \"Identify\" (understanding assets and risks), \"Protect\" (implementing safeguards), \"Detect\" (discovering anomalies), \"Respond\" (incident handling), and \"Recover\" (returning to normal state). Many organizations in Japan also use the NIST CSF as a reference.\n::\n\n::heading\nISO\u002FIEC 27000[規格]{きかく:standard:N3}[群]{ぐん:family:N2}\n\n#en\nISO\u002FIEC 27000 standards family\n::\n\n::para\nISO\u002FIEC 27000シリーズは[情報]{じょうほう:information:N3}セキュリティ[管理]{かんり:management:N2}の[国際]{こくさい:international:N3}[規格]{きかく:standard:N3}[群]{ぐん:family:N2}である。[主要]{しゅよう:major:N3}な[規格]{きかく:standards:N3}：27000は[用語]{ようご:vocabulary:N4}[定義]{ていぎ:definitions:N1}、27001はISMS[要求]{ようきゅう:requirements:N3}[事項]{じこう:matters:N1}、27002は[管理策]{かんりさく:controls:N1}の[実践]{じっせん:practice:N1}[規範]{きはん:code:N1}、27005は[情報]{じょうほう:information:N3}セキュリティリスク[管理]{かんり:management:N2}、27017はクラウドセキュリティ、27018はクラウド[上]{じょう:on:N5}の[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}（PII）[保護]{ほご:protection:N1}、27701は[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}[管理]{かんり:management:N2}システム（PIMS：プライバシー[拡張]{かくちょう:extension:N1}）を[規定]{きてい:stipulate:N3}する。これらを[組み合わせる]{くみあわせる:combine:N3}ことで、[組織]{そしき:organization:N1}は[情報]{じょうほう:information:N3}セキュリティとプライバシー[保護]{ほご:protection:N1}を[統合的]{とうごうてき:integrated:N1}に[管理]{かんり:manage:N2}できる。\n\n#en\nThe ISO\u002FIEC 27000 series is a family of international standards for information security management. Key standards: 27000 defines vocabulary, 27001 specifies ISMS requirements, 27002 is a code of practice for controls, 27005 covers information security risk management, 27017 addresses cloud security, 27018 covers protection of personal information (PII) in the cloud, and 27701 specifies a Privacy Information Management System (PIMS: privacy extension). By combining these, organizations can manage information security and privacy protection in an integrated manner.\n::\n\n::callout\nISMSとプライバシーマーク（Pマーク）は[混同]{こんどう:confused:N2}されやすいが[異なる]{ことなる:different:N1}[制度]{せいど:system:N3}である。ISMS[認証]{にんしょう:certification:N1}：[対象]{たいしょう:scope:N2}は[組織]{そしき:organization:N1}が[定めた]{さだめた:determined:N3}[範囲]{はんい:scope:N1}の[情報]{じょうほう:information:N3}[資産]{しさん:assets:N3}[全般]{ぜんぱん:in general:N2}、[規格]{きかく:standard:N3}はISO\u002FIEC 27001（JIS Q 27001）、[有効]{ゆうこう:validity:N2}[期間]{きかん:period:N3}は3[年]{ねん:years:N5}、[認証]{にんしょう:certification:N1}[機関]{きかん:body:N3}は[複数]{ふくすう:multiple:N2}の[認定]{にんてい:accredited:N3}[審査]{しんさ:audit:N1}[機関]{きかん:bodies:N3}。Pマーク：[対象]{たいしょう:scope:N2}は[個人]{こじん:personal:N2}[情報]{じょうほう:information:N3}に[限定]{げんてい:limited:N3}、[規格]{きかく:standard:N3}はJIS Q 15001、[有効]{ゆうこう:validity:N2}[期間]{きかん:period:N3}は2[年]{ねん:years:N5}、[認証]{にんしょう:certification:N1}[機関]{きかん:body:N3}は[日本]{にほん:Japan:N5}[情報]{じょうほう:information:N3}[経済]{けいざい:economy:N3}[社会]{しゃかい:society:N4}[推進]{すいしん:promotion:N1}[協会]{きょうかい:association:N2}（JIPDEC）。ISMSは[国際的]{こくさいてき:international:N3}に[通用]{つうよう:valid:N4}し、Pマークは[日本]{にほん:Japan:N5}[国内]{こくない:domestic:N3}[限定]{げんてい:limited:N3}である。\n\n#en\nISMS and Privacy Mark (P-Mark) are easily confused but are different systems. ISMS certification: scope covers information assets in general within the range determined by the organization; standard is ISO\u002FIEC 27001 (JIS Q 27001); validity period is 3 years; certification bodies are multiple accredited audit bodies. P-Mark: scope is limited to personal information; standard is JIS Q 15001; validity period is 2 years; certification body is the Japan Institute for Promotion of Digital Economy and Community (JIPDEC). ISMS is internationally valid, while P-Mark is limited to Japan.\n::\n",{"id":174,"title":180,"titleEn":181,"topicPath":182,"questions":183},"第１編 脅威と対策 確認テスト","Chapter 1: Threats & Countermeasures — Practice Test","software\u002Fkojin-joho-hogo\u002Fkadai-2\u002Fhen-01-kyoui-taisaku",[184,212,235,258,282,305,329,351,375,398,421,445,469],{"id":185,"articleId":186,"question":187,"options":190,"correctLabel":204,"explanation":207,"tags":210},"kjh-k2-h01-q01","kjh-k2-h01-security-kiso",{"en":188,"jp":189},"Which of the following is NOT one of the three elements (CIA) of information security?","[情報]{じょうほう:information}セキュリティの3[要素]{ようそ:elements}（CIA）に[該当]{がいとう:applicable}しないものはどれか。",[191,195,199,203],{"label":192,"jp":193,"en":194},"ア","[機密性]{きみつせい:confidentiality}（Confidentiality）","Confidentiality",{"label":196,"jp":197,"en":198},"イ","[完全性]{かんぜんせい:integrity}（Integrity）","Integrity",{"label":200,"jp":201,"en":202},"ウ","[可用性]{かようせい:availability}（Availability）","Availability",{"label":204,"jp":205,"en":206},"エ","[信頼性]{しんらいせい:reliability}（Reliability）","Reliability",{"en":208,"jp":209},"CIA stands for Confidentiality, Integrity, and Availability. Reliability is listed as an additional characteristic in JIS Q 27001 but is not one of the three CIA elements.","CIAは[機密性]{きみつせい:confidentiality}・[完全性]{かんぜんせい:integrity}・[可用性]{かようせい:availability}の3つを[指]{さ:point to}す。[信頼性]{しんらいせい:reliability}はJIS Q 27001で[追加]{ついか:additional}[特性]{とくせい:characteristic}として[挙]{あ:listed}げられるが、CIAの[構成]{こうせい:composition}[要素]{ようそ:element}ではない。",[211],"CIA",{"id":213,"articleId":186,"question":214,"options":217,"correctLabel":200,"explanation":230,"tags":233},"kjh-k2-h01-q02",{"en":215,"jp":216},"Which type of malware encrypts files on an infected computer and demands a ransom for decryption?","[感染]{かんせん:infection}したコンピュータのファイルを[暗号化]{あんごうか:encrypt}し、[復号]{ふくごう:decryption}のために[身代金]{みのしろきん:ransom}を[要求]{ようきゅう:demand}するマルウェアはどれか。",[218,221,224,227],{"label":192,"jp":219,"en":220},"ワーム","Worm",{"label":196,"jp":222,"en":223},"トロイの木馬","Trojan horse",{"label":200,"jp":225,"en":226},"ランサムウェア","Ransomware",{"label":204,"jp":228,"en":229},"スパイウェア","Spyware",{"en":231,"jp":232},"Ransomware encrypts files and demands a ransom. A worm self-propagates, a Trojan horse disguises itself as legitimate software, and spyware steals information.","ランサムウェアはファイルを[暗号化]{あんごうか:encrypt}し[身代金]{みのしろきん:ransom}を[要求]{ようきゅう:demand}する。ワームは[自己]{じこ:self}[増殖]{ぞうしょく:propagation}するマルウェア、トロイの[木馬]{もくば:wooden horse}は[正規]{せいき:legitimate}ソフトに[偽装]{ぎそう:disguise}して[侵入]{しんにゅう:intrusion}するもの、スパイウェアは[情報]{じょうほう:information}を[窃取]{せっしゅ:steal}するものである。",[234],"malware",{"id":236,"articleId":186,"question":237,"options":240,"correctLabel":196,"explanation":253,"tags":256},"kjh-k2-h01-q03",{"en":238,"jp":239},"Which of the following is the most appropriate example of a social engineering technique?","ソーシャルエンジニアリングの[手法]{しゅほう:technique}として[最]{もっと:most}も[適切]{てきせつ:appropriate}なものはどれか。",[241,244,247,250],{"label":192,"jp":242,"en":243},"SQLインジェクションによるデータベースへの[不正]{ふせい:unauthorized}アクセス","Unauthorized access to a database via SQL injection",{"label":196,"jp":245,"en":246},"[電話]{でんわ:telephone}でシステム[管理者]{かんりしゃ:administrator}を[装]{よそお:pretend}いパスワードを[聞]{き:ask}き[出]{だ:extract}す","Impersonating a system administrator over the phone to extract a password",{"label":200,"jp":248,"en":249},"ブルートフォース[攻撃]{こうげき:attack}でパスワードを[解読]{かいどく:decode}する","Decoding a password through a brute-force attack",{"label":204,"jp":251,"en":252},"ゼロデイ[脆弱性]{ぜいじゃくせい:vulnerability}を[利用]{りよう:exploit}した[攻撃]{こうげき:attack}","An attack exploiting a zero-day vulnerability",{"en":254,"jp":255},"Social engineering exploits human psychological weaknesses, not technical means. Impersonating an administrator over the phone is a classic example. Options A, C, and D are all technical attacks.","ソーシャルエンジニアリングは[技術的]{ぎじゅつてき:technical}[手段]{しゅだん:means}ではなく、[人間]{にんげん:human}の[心理的]{しんりてき:psychological}な[弱点]{じゃくてん:weakness}を[突]{つ:exploit}く[手法]{しゅほう:technique}である。[電話]{でんわ:telephone}で[管理者]{かんりしゃ:administrator}を[装]{よそお:impersonate}う[行為]{こうい:act}が[該当]{がいとう:applicable}する。ア・ウ・エはいずれも[技術的]{ぎじゅつてき:technical}[攻撃]{こうげき:attack}である。",[257],"social-engineering",{"id":259,"articleId":260,"question":261,"options":264,"correctLabel":192,"explanation":277,"tags":280},"kjh-k2-h01-q04","kjh-k1-h01-hotaikei",{"en":262,"jp":263},"Which of the following acts is prohibited under the Unauthorized Computer Access Law?","[不正]{ふせい:unauthorized}アクセス[禁止法]{きんしほう:prohibition law}で[禁止]{きんし:prohibited}されている[行為]{こうい:act}として[正]{ただ:correct}しいものはどれか。",[265,268,271,274],{"label":192,"jp":266,"en":267},"[他人]{たにん:another person}のID・パスワードを[無断]{むだん:without permission}で[使用]{しよう:use}してログインする[行為]{こうい:act}","Logging in using another person's ID and password without permission",{"label":196,"jp":269,"en":270},"[自分]{じぶん:oneself}のパスワードを[簡単]{かんたん:simple}なものに[設定]{せってい:set}する[行為]{こうい:act}","Setting one's own password to something simple",{"label":200,"jp":272,"en":273},"[社内]{しゃない:within the company}ネットワークに[正規]{せいき:authorized}の[手段]{しゅだん:means}でアクセスする[行為]{こうい:act}","Accessing the company network through authorized means",{"label":204,"jp":275,"en":276},"ファイアウォールを[導入]{どうにゅう:implement}する[行為]{こうい:act}","Implementing a firewall",{"en":278,"jp":279},"The Unauthorized Computer Access Law prohibits using another person's identification codes (ID\u002Fpassword) without permission to bypass access controls. Option B is inadvisable but not illegal. Options C and D are legitimate acts.","[不正]{ふせい:unauthorized}アクセス[禁止法]{きんしほう:prohibition law}は、[他人]{たにん:another person}の[識別]{しきべつ:identification}[符号]{ふごう:code}（ID・パスワード）を[無断]{むだん:without permission}[使用]{しよう:use}してアクセス[制御]{せいぎょ:control}を[突破]{とっぱ:break through}する[行為]{こうい:act}を[禁止]{きんし:prohibit}している。イは[推奨]{すいしょう:recommendation}されないが[違法]{いほう:illegal}ではない。ウ・エは[正当]{せいとう:legitimate}な[行為]{こうい:act}である。",[281],"unauthorized-access-law",{"id":283,"articleId":260,"question":284,"options":287,"correctLabel":204,"explanation":300,"tags":303},"kjh-k2-h01-q05",{"en":285,"jp":286},"Which of the following is NOT one of the three requirements for trade secrets under the Unfair Competition Prevention Act?","[不正]{ふせい:unfair}[競争]{きょうそう:competition}[防止法]{ぼうしほう:prevention law}における[営業]{えいぎょう:business}[秘密]{ひみつ:secret}の3[要件]{ようけん:requirements}に[該当]{がいとう:applicable}しないものはどれか。",[288,291,294,297],{"label":192,"jp":289,"en":290},"[秘密]{ひみつ:secret}[管理性]{かんりせい:manageability}","Secret management (the information is managed as a secret)",{"label":196,"jp":292,"en":293},"[有用性]{ゆうようせい:usefulness}","Usefulness (the information has commercial value)",{"label":200,"jp":295,"en":296},"[非]{ひ:non-}[公知性]{こうちせい:public knowledge}","Non-public knowledge (the information is not publicly known)",{"label":204,"jp":298,"en":299},"[新規性]{しんきせい:novelty}","Novelty (the information is new)",{"en":301,"jp":302},"The three requirements for trade secrets are: secret management, usefulness, and non-public knowledge. Novelty is a requirement under patent law, not for trade secrets.","[営業]{えいぎょう:business}[秘密]{ひみつ:secret}の3[要件]{ようけん:requirements}は「[秘密]{ひみつ:secret}[管理性]{かんりせい:manageability}」「[有用性]{ゆうようせい:usefulness}」「[非]{ひ:non-}[公知性]{こうちせい:public knowledge}」の3つである。「[新規性]{しんきせい:novelty}」は[特許法]{とっきょほう:patent law}の[要件]{ようけん:requirement}であり、[営業]{えいぎょう:business}[秘密]{ひみつ:secret}の[要件]{ようけん:requirement}ではない。",[304],"trade-secret",{"id":306,"articleId":260,"question":307,"options":310,"correctLabel":196,"explanation":323,"tags":326},"kjh-k2-h01-q06",{"en":308,"jp":309},"Which of the following correctly describes the difference between ISMS and the Privacy Mark?","ISMSとプライバシーマークの[違]{ちが:difference}いについて[正]{ただ:correct}しいものはどれか。",[311,314,317,320],{"label":192,"jp":312,"en":313},"ISMSは[個人情報]{こじんじょうほう:personal information}のみを[対象]{たいしょう:target}とし、プライバシーマークは[全]{すべ:all}ての[情報]{じょうほう:information}[資産]{しさん:assets}を[対象]{たいしょう:target}とする","ISMS covers only personal information, while the Privacy Mark covers all information assets",{"label":196,"jp":315,"en":316},"ISMSは[全]{すべ:all}ての[情報]{じょうほう:information}[資産]{しさん:assets}を[対象]{たいしょう:target}とし、プライバシーマークは[個人情報]{こじんじょうほう:personal information}[保護]{ほご:protection}に[特化]{とっか:specialized}する","ISMS covers all information assets, while the Privacy Mark specializes in personal information protection",{"label":200,"jp":318,"en":319},"[両者]{りょうしゃ:both}とも[国際]{こくさい:international}[規格]{きかく:standard}に[基]{もと:based}づく[認証]{にんしょう:certification}[制度]{せいど:system}である","Both are certification systems based on international standards",{"label":204,"jp":321,"en":322},"プライバシーマークは[部門]{ぶもん:department}[単位]{たんい:unit}で[取得]{しゅとく:obtain}でき、ISMSは[会社]{かいしゃ:company}[全体]{ぜんたい:entire}でしか[取得]{しゅとく:obtain}できない","The Privacy Mark can be obtained per department, while ISMS can only be obtained company-wide",{"en":324,"jp":325},"ISMS (ISO\u002FIEC 27001) is an international standard covering all information assets and can be obtained per department. The Privacy Mark (JIS Q 15001) is a domestic system specializing in personal information protection and must be obtained company-wide. Option A is reversed. Option C is wrong because the Privacy Mark is a domestic standard. Option D is also reversed.","ISMS（ISO\u002FIEC 27001）は[情報]{じょうほう:information}[資産]{しさん:assets}[全般]{ぜんぱん:overall}を[対象]{たいしょう:target}とする[国際]{こくさい:international}[規格]{きかく:standard}に[基]{もと:based}づく[認証]{にんしょう:certification}で、[部門]{ぶもん:department}[単位]{たんい:unit}で[取得]{しゅとく:obtain}[可能]{かのう:possible}。プライバシーマーク（JIS Q 15001）は[個人情報]{こじんじょうほう:personal information}[保護]{ほご:protection}に[特化]{とっか:specialized}した[国内]{こくない:domestic}[制度]{せいど:system}で、[事業者]{じぎょうしゃ:business operator}[全体]{ぜんたい:entire}で[取得]{しゅとく:obtain}する。アは[逆]{ぎゃく:reverse}。ウはプライバシーマークが[国内]{こくない:domestic}[規格]{きかく:standard}なので[誤]{あやま:incorrect}り。エも[逆]{ぎゃく:reverse}である。",[327,328],"ISMS","privacy-mark",{"id":330,"articleId":186,"question":331,"options":334,"correctLabel":200,"explanation":346,"tags":349},"kjh-k2-h01-q07",{"en":332,"jp":333},"Which property of information security is guaranteed by digital signatures and timestamps?","[情報]{じょうほう:information}セキュリティの[特性]{とくせい:property}のうち、デジタル[署名]{しょめい:signature}やタイムスタンプによって[担保]{たんぽ:guarantee}されるものはどれか。",[335,338,341,344],{"label":192,"jp":336,"en":337},"[真正性]{しんせいせい:authenticity}","Authenticity",{"label":196,"jp":339,"en":340},"[責任]{せきにん:responsibility}[追跡性]{ついせきせい:traceability}","Accountability",{"label":200,"jp":342,"en":343},"[否認]{ひにん:denial}[防止]{ぼうし:prevention}","Non-repudiation",{"label":204,"jp":345,"en":206},"[信頼性]{しんらいせい:reliability}",{"en":347,"jp":348},"Non-repudiation is the property that prevents someone from later denying (\"I did not do it\") an act they performed; it is guaranteed by digital signatures and timestamps. Authenticity uses multi-factor authentication and electronic certificates; accountability uses access logs and audit trails.","[否認]{ひにん:denial}[防止]{ぼうし:prevention}は、ある[行為]{こうい:act}を[後]{あと:later}から「やっていない」と[否定]{ひてい:deny}できなくする[特性]{とくせい:property}で、デジタル[署名]{しょめい:signature}やタイムスタンプで[担保]{たんぽ:guarantee}される。[真正性]{しんせいせい:authenticity}は[多]{た:multi}[要素]{ようそ:factor}[認証]{にんしょう:authentication}や[電子]{でんし:electronic}[証明書]{しょうめいしょ:certificate}、[責任]{せきにん:responsibility}[追跡性]{ついせきせい:traceability}はアクセスログや[監査]{かんさ:audit}[証跡]{しょうせき:trail}で[実現]{じつげん:realize}される。",[211,350],"non-repudiation",{"id":352,"articleId":186,"question":353,"options":356,"correctLabel":196,"explanation":369,"tags":372},"kjh-k2-h01-q08",{"en":354,"jp":355},"Which best describes the characteristic of an XSS (Cross-Site Scripting) attack?","XSS（クロスサイトスクリプティング）[攻撃]{こうげき:attack}の[特徴]{とくちょう:characteristic}として[最]{もっと:most}も[適切]{てきせつ:appropriate}なものはどれか。",[357,360,363,366],{"label":192,"jp":358,"en":359},"データベースに[不正]{ふせい:malicious}なSQL[文]{ぶん:statement}を[挿入]{そうにゅう:insert}する","Insert malicious SQL statements into a database",{"label":196,"jp":361,"en":362},"Webページに[悪意]{あくい:malicious}のあるスクリプトを[埋め込み]{うめこみ:embed}、[閲覧者]{えつらんしゃ:viewer}のブラウザで[実行]{じっこう:execute}させる","Embed malicious scripts in web pages and execute them in viewers' browsers",{"label":200,"jp":364,"en":365},"[認証]{にんしょう:authenticated}[済み]{ずみ:already}[利用者]{りようしゃ:user}に[意図]{いと:intended}しないリクエストを[送信]{そうしん:send}させる","Force authenticated users to send unintended requests",{"label":204,"jp":367,"en":368},"DNSサーバーの[情報]{じょうほう:information}を[改ざん]{かいざん:tamper}し[偽]{にせ:fake}サイトに[誘導]{ゆうどう:redirect}する","Tamper with DNS server information to redirect to fake sites",{"en":370,"jp":371},"XSS embeds malicious scripts in web pages and executes them in the victim's browser. A describes SQL injection, C describes CSRF, and D describes DNS cache poisoning.","XSSはWebページに[悪意]{あくい:malicious}スクリプトを[埋め込み]{うめこみ:embed}、[被害者]{ひがいしゃ:victim}のブラウザで[実行]{じっこう:execute}させる[攻撃]{こうげき:attack}。アはSQLインジェクション、ウはCSRF、エはDNSキャッシュポイズニングの[説明]{せつめい:description}である。",[373,374],"xss","web-attack",{"id":376,"articleId":186,"question":377,"options":380,"correctLabel":200,"explanation":393,"tags":396},"kjh-k2-h01-q09",{"en":378,"jp":379},"Among the four risk response categories, which corresponds to taking out insurance or outsourcing?","リスク[対応]{たいおう:response}の4[分類]{ぶんるい:classifications}のうち、[保険]{ほけん:insurance}への[加入]{かにゅう:joining}やアウトソーシングの[利用]{りよう:use}が[該当]{がいとう:applicable}するものはどれか。",[381,384,387,390],{"label":192,"jp":382,"en":383},"リスク[低減]{ていげん:reduction}","Risk reduction",{"label":196,"jp":385,"en":386},"リスク[回避]{かいひ:avoidance}","Risk avoidance",{"label":200,"jp":388,"en":389},"リスク[移転]{いてん:transfer}","Risk transfer",{"label":204,"jp":391,"en":392},"リスク[保有]{ほゆう:retention}","Risk retention",{"en":394,"jp":395},"Risk transfer shifts risk to a third party via insurance or outsourcing. Reduction means implementing countermeasures, avoidance means discontinuing the activity itself, and retention means accepting the risk.","リスク[移転]{いてん:transfer}は、[保険]{ほけん:insurance}やアウトソーシングなどで[第三者]{だいさんしゃ:third party}にリスクを[移す]{うつす:shift}[対応]{たいおう:response}。[低減]{ていげん:reduction}は[対策]{たいさく:countermeasures}を[講じる]{こうじる:implement}こと、[回避]{かいひ:avoidance}は[活動]{かつどう:activity}[自体]{じたい:itself}を[中止]{ちゅうし:discontinue}すること、[保有]{ほゆう:retention}はリスクを[受容]{じゅよう:accept}することである。",[397],"risk-management",{"id":399,"articleId":6,"question":400,"options":403,"correctLabel":192,"explanation":416,"tags":419},"kjh-k2-h01-q10",{"en":401,"jp":402},"Which is the correct order of the PDCA cycle, the central concept of ISMS (JIS Q 27001)?","ISMS（JIS Q 27001）における[中心]{ちゅうしん:central}[概念]{がいねん:concept}であるPDCAサイクルの[順序]{じゅんじょ:order}として[正]{ただ:correct}しいものはどれか。",[404,407,410,413],{"label":192,"jp":405,"en":406},"[計画]{けいかく:plan}→[実行]{じっこう:execute}→[点検]{てんけん:check}→[改善]{かいぜん:improve}","Plan → Do → Check → Act",{"label":196,"jp":408,"en":409},"[計画]{けいかく:plan}→[点検]{てんけん:check}→[実行]{じっこう:execute}→[改善]{かいぜん:improve}","Plan → Check → Do → Act",{"label":200,"jp":411,"en":412},"[実行]{じっこう:execute}→[計画]{けいかく:plan}→[改善]{かいぜん:improve}→[点検]{てんけん:check}","Do → Plan → Act → Check",{"label":204,"jp":414,"en":415},"[点検]{てんけん:check}→[計画]{けいかく:plan}→[実行]{じっこう:execute}→[改善]{かいぜん:improve}","Check → Plan → Do → Act",{"en":417,"jp":418},"PDCA cycles in order: Plan → Do → Check → Act, continuously improving security levels.","PDCAサイクルはPlan（[計画]{けいかく:plan}）→Do（[実行]{じっこう:execute}）→Check（[点検]{てんけん:check}）→Act（[改善]{かいぜん:improve}）の[順]{じゅん:order}で[回す]{まわす:cycle}ことで、セキュリティ[水準]{すいじゅん:level}を[継続的]{けいぞくてき:continuously}に[向上]{こうじょう:improve}させる[考え方]{かんがえかた:concept}である。",[327,420],"PDCA",{"id":422,"articleId":6,"question":423,"options":426,"correctLabel":192,"explanation":439,"tags":442},"kjh-k2-h01-q11",{"en":424,"jp":425},"Which of the Personal Information Protection Act guidelines stipulates safety management measures from four aspects: organizational, human, physical, and technical?","[個人]{こじん:personal}[情報]{じょうほう:information}[保護法]{ほごほう:Protection Act}ガイドラインのうち、[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}を[組織的]{そしきてき:organizational}・[人的]{じんてき:human}・[物理的]{ぶつりてき:physical}・[技術的]{ぎじゅつてき:technical}の4[側面]{そくめん:aspects}から[規定]{きてい:stipulate}するのはどれか。",[427,430,433,436],{"label":192,"jp":428,"en":429},"[通則編]{つうそくへん:general rules volume}","General Rules volume",{"label":196,"jp":431,"en":432},"[外国]{がいこく:foreign}にある[第三者]{だいさんしゃ:third party}への[提供編]{ていきょうへん:provision volume}","Foreign Third-Party Provision volume",{"label":200,"jp":434,"en":435},"[確認]{かくにん:confirmation}・[記録]{きろく:record}[義務編]{ぎむへん:obligation volume}","Confirmation and Record Obligation volume",{"label":204,"jp":437,"en":438},"[仮名]{かめい:pseudonymized}・[匿名]{とくめい:anonymized}[加工]{かこう:processed}[情報編]{じょうほうへん:information volume}","Pseudonymized\u002FAnonymized Information volume",{"en":440,"jp":441},"The PPC Personal Information Protection Act guidelines consist of 4 volumes; the most important is the General Rules volume. Its safety management measures chapter details all four aspects: organizational, human, physical, and technical.","PPCの[個人]{こじん:personal}[情報]{じょうほう:information}[保護法]{ほごほう:Protection Act}ガイドラインは4[巻]{かん:volumes}[構成]{こうせい:composition}で、[最]{もっと:most}も[重要]{じゅうよう:important}なのが[通則編]{つうそくへん:general rules volume}である。[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}の[章]{しょう:chapter}で[組織的]{そしきてき:organizational}・[人的]{じんてき:human}・[物理的]{ぶつりてき:physical}・[技術的]{ぎじゅつてき:technical}の4[側面]{そくめん:aspects}を[詳細]{しょうさい:in detail}に[規定]{きてい:stipulate}している。",[443,444],"guidelines","safety-management",{"id":446,"articleId":6,"question":447,"options":450,"correctLabel":196,"explanation":463,"tags":466},"kjh-k2-h01-q12",{"en":448,"jp":449},"Which organization was established under the Basic Act on Cybersecurity to formulate and promote Japan's cybersecurity strategy?","サイバーセキュリティ[基本法]{きほんほう:Basic Act}に[基づき]{もとづき:based on}[設置]{せっち:established}され、[日本]{にほん:Japan}のサイバーセキュリティ[戦略]{せんりゃく:strategy}の[策定]{さくてい:formulation}・[推進]{すいしん:promotion}を[担う]{になう:undertake}[組織]{そしき:organization}はどれか。",[451,454,457,460],{"label":192,"jp":452,"en":453},"IPA（情報処理推進機構）","IPA (Information-technology Promotion Agency)",{"label":196,"jp":455,"en":456},"NISC（内閣サイバーセキュリティセンター）","NISC (National center of Incident readiness and Strategy for Cybersecurity)",{"label":200,"jp":458,"en":459},"JIPDEC（日本情報経済社会推進協会）","JIPDEC (Japan Institute for Promotion of Digital Economy and Community)",{"label":204,"jp":461,"en":462},"PPC（個人情報保護委員会）","PPC (Personal Information Protection Commission)",{"en":464,"jp":465},"NISC was established under the 2014 Basic Act on Cybersecurity. It coordinates cooperation with ministries and the private sector. JIPDEC is the P-Mark certification body, and PPC is the authority for the Personal Information Protection Act.","2014[年]{ねん:year}[制定]{せいてい:enacted}のサイバーセキュリティ[基本法]{きほんほう:Basic Act}により[設置]{せっち:established}されたのはNISC（[内閣]{ないかく:Cabinet}サイバーセキュリティセンター）。[各]{かく:each}[省庁]{しょうちょう:ministry}や[民間]{みんかん:private sector}との[連携]{れんけい:cooperation}を[調整]{ちょうせい:coordinate}する。JIPDECはPマーク[認証]{にんしょう:certification}[機関]{きかん:body}、PPCは[個人]{こじん:personal}[情報]{じょうほう:information}[保護法]{ほごほう:Protection Act}[所管]{しょかん:jurisdiction}[機関]{きかん:body}である。",[467,468],"cyber-basic-act","NISC",{"id":470,"articleId":6,"question":471,"options":474,"correctLabel":196,"explanation":487,"tags":490},"kjh-k2-h01-q13",{"en":472,"jp":473},"Which of the following correctly describes the scope of use of My Number (specific personal information)?","マイナンバー（[特定]{とくてい:specific}[個人]{こじん:personal}[情報]{じょうほう:information}）の[利用]{りよう:use}[範囲]{はんい:scope}として[正]{ただ:correct}しいものはどれか。",[475,478,481,484],{"label":192,"jp":476,"en":477},"[企業]{きぎょう:company}の[顧客]{こきゃく:customer}[管理]{かんり:management}や[営業]{えいぎょう:sales}[活動]{かつどう:activities}に[幅広く]{はばひろく:broadly}[利用]{りよう:use}できる","Can be widely used for corporate customer management and sales activities",{"label":196,"jp":479,"en":480},"[税]{ぜい:tax}・[社会]{しゃかい:social}[保障]{ほしょう:security}・[災害]{さいがい:disaster}[対策]{たいさく:countermeasures}の3[分野]{ぶんや:fields}に[限定]{げんてい:limited}される","Limited to three fields: tax, social security, and disaster countermeasures",{"label":200,"jp":482,"en":483},"[本人]{ほんにん:the individual}の[同意]{どうい:consent}があればあらゆる[目的]{もくてき:purpose}で[利用]{りよう:use}[可能]{かのう:possible}","May be used for any purpose with the individual's consent",{"label":204,"jp":485,"en":486},"[行政]{ぎょうせい:administrative}[機関]{きかん:body}のみが[利用]{りよう:use}でき、[民間]{みんかん:private sector}[企業]{きぎょう:companies}は[利用]{りよう:use}できない","Only administrative bodies may use it; private companies may not",{"en":488,"jp":489},"My Number use is strictly limited to tax, social security, and disaster countermeasures, and use outside the purpose is prohibited even with the individual's consent. Private companies also use it for tax\u002Fsocial security work such as withholding, so D is incorrect.","マイナンバーの[利用]{りよう:use}[範囲]{はんい:scope}は[税]{ぜい:tax}・[社会]{しゃかい:social}[保障]{ほしょう:security}・[災害]{さいがい:disaster}[対策]{たいさく:countermeasures}に[限定]{げんてい:strictly limited}され、[本人]{ほんにん:the individual}の[同意]{どうい:consent}があっても[目的]{もくてき:purpose}[外]{がい:outside}[利用]{りよう:use}は[原則]{げんそく:in principle}[禁止]{きんし:prohibited}。[民間]{みんかん:private sector}[企業]{きぎょう:companies}も[源泉]{げんせん:withholding}[徴収]{ちょうしゅう:tax collection}など[税]{ぜい:tax}・[社会]{しゃかい:social}[保障]{ほしょう:security}[関連]{かんれん:related}[業務]{ぎょうむ:work}で[利用]{りよう:use}するためエは[誤り]{あやまり:incorrect}。",[491],"my-number"]