[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article:kjh-k2-h02-soshiki-kiso":3},{"meta":4,"markdown":202,"quiz":203},{"type":5,"articleId":6,"slug":6,"title":7,"titleEn":8,"category":9,"order":10,"seriesLabel":11,"summary":12,"publishedAt":13,"image":14,"tags":15,"vocabulary":19,"quizId":198,"source":199},"article","kjh-k2-h02-soshiki-kiso","課題Ⅱ 第２編① 組織的・人的セキュリティ ― 基本方針の策定からリスク管理・規程整備まで","Subject II Part 2: Organizational & Human Security (Part 1) — From basic policy formulation to risk management and regulation development","kojin-joho-hogo\u002Fkadai-2",2021,"課題Ⅱ 第２編①","Covers the foundations of organizational security for personal information protection: formulating a basic policy (contents and relationship to P-Mark\u002FISMS), identifying and managing personal information via ledgers with lifecycle management, risk assessment (recognition, qualitative vs quantitative analysis, the four treatment methods), and developing hierarchical internal regulation documents with PDCA.","2026-04-26T00:00:00Z","https:\u002F\u002Fimages.yamiyomi.com\u002Fkjh-k2-h02-soshiki-kiso.png",[16,17,18],"exam:個人情報保護士","topic:組織的安全管理","topic:リスク管理",[20,25,30,34,38,42,46,50,54,58,62,66,70,74,78,82,86,90,94,98,102,106,110,114,118,122,126,130,134,138,142,146,150,154,158,162,166,170,174,178,182,186,190,194],{"word":21,"reading":22,"meaning":23,"level":24},"基本方針","きほんほうしん","basic policy","N2",{"word":26,"reading":27,"meaning":28,"level":29},"策定","さくてい","formulation, establishment","N1",{"word":31,"reading":32,"meaning":33,"level":24},"宣言","せんげん","declaration",{"word":35,"reading":36,"meaning":37,"level":29},"遵守","じゅんしゅ","compliance, observance",{"word":39,"reading":40,"meaning":41,"level":24},"認証","にんしょう","certification, authentication",{"word":43,"reading":44,"meaning":45,"level":29},"洗い出し","あらいだし","identification, listing out",{"word":47,"reading":48,"meaning":49,"level":29},"台帳","だいちょう","ledger, register",{"word":51,"reading":52,"meaning":53,"level":29},"一元的","いちげんてき","centralized, unified",{"word":55,"reading":56,"meaning":57,"level":29},"棚卸し","たなおろし","inventory, stocktaking",{"word":59,"reading":60,"meaning":61,"level":24},"保管","ほかん","storage, safekeeping",{"word":63,"reading":64,"meaning":65,"level":24},"廃棄","はいき","disposal, destruction",{"word":67,"reading":68,"meaning":69,"level":29},"漏洩","ろうえい","leakage, disclosure",{"word":71,"reading":72,"meaning":73,"level":29},"滅失","めっしつ","loss, destruction",{"word":75,"reading":76,"meaning":77,"level":29},"毀損","きそん","damage, impairment",{"word":79,"reading":80,"meaning":81,"level":29},"脅威","きょうい","threat",{"word":83,"reading":84,"meaning":85,"level":29},"脆弱性","ぜいじゃくせい","vulnerability",{"word":87,"reading":88,"meaning":89,"level":29},"定性的","ていせいてき","qualitative",{"word":91,"reading":92,"meaning":93,"level":29},"定量的","ていりょうてき","quantitative",{"word":95,"reading":96,"meaning":97,"level":29},"損失額","そんしつがく","loss amount",{"word":99,"reading":100,"meaning":101,"level":24},"影響度","えいきょうど","impact level",{"word":103,"reading":104,"meaning":105,"level":24},"回避","かいひ","avoidance",{"word":107,"reading":108,"meaning":109,"level":29},"低減","ていげん","reduction, mitigation",{"word":111,"reading":112,"meaning":113,"level":24},"移転","いてん","transfer",{"word":115,"reading":116,"meaning":117,"level":29},"転嫁","てんか","shift, pass on (blame\u002Fcost)",{"word":119,"reading":120,"meaning":121,"level":29},"受容","じゅよう","acceptance",{"word":123,"reading":124,"meaning":125,"level":29},"許容","きょよう","tolerance, allowance",{"word":127,"reading":128,"meaning":129,"level":29},"損害賠償","そんがいばいしょう","liability compensation",{"word":131,"reading":132,"meaning":133,"level":29},"費用対効果","ひようたいこうか","cost-effectiveness",{"word":135,"reading":136,"meaning":137,"level":29},"規程","きてい","regulation, rules",{"word":139,"reading":140,"meaning":141,"level":24},"階層","かいそう","hierarchy, layer",{"word":143,"reading":144,"meaning":145,"level":24},"手順書","てじゅんしょ","procedure manual",{"word":147,"reading":148,"meaning":149,"level":24},"様式","ようしき","form, format",{"word":151,"reading":152,"meaning":153,"level":24},"盛り込み","もりこみ","incorporation, inclusion",{"word":155,"reading":156,"meaning":157,"level":24},"周知","しゅうち","dissemination, making known",{"word":159,"reading":160,"meaning":161,"level":29},"適合性","てきごうせい","conformity, compliance",{"word":163,"reading":164,"meaning":165,"level":29},"是正","ぜせい","correction, rectification",{"word":167,"reading":168,"meaning":169,"level":24},"法令","ほうれい","laws and regulations",{"word":171,"reading":172,"meaning":173,"level":24},"改正","かいせい","amendment, revision",{"word":175,"reading":176,"meaning":177,"level":24},"公表","こうひょう","public announcement",{"word":179,"reading":180,"meaning":181,"level":24},"把握","はあく","grasp, understand",{"word":183,"reading":184,"meaning":185,"level":24},"暗号化","あんごうか","encryption",{"word":187,"reading":188,"meaning":189,"level":24},"紛失","ふんしつ","loss, misplacement",{"word":191,"reading":192,"meaning":193,"level":24},"復元","ふくげん","restoration, recovery",{"word":195,"reading":196,"meaning":197,"level":29},"改訂","かいてい","revision","kjh-k2-h02-quiz",{"name":200,"url":201},"個人情報保護士試験対策","https:\u002F\u002Fwww.joho-gakushu.or.jp\u002Fpiip\u002F","\n::para\n[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}[保護]{ほご:protection:N1}を[組織的]{そしきてき:organizationally:N1}に[推進]{すいしん:promote:N1}するための[第一歩]{だいいっぽ:first step:N1}は、[基本]{きほん:basic:N1}[方針]{ほうしん:policy:N2}（プライバシーポリシー）の[策定]{さくてい:formulation:N1}です。[基本]{きほん:basic:N1}[方針]{ほうしん:policy:N2}とは、[事業者]{じぎょうしゃ:business operator:N4}が[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}をどのように[取り扱う]{とりあつかう:handle:N1}かを[対外的]{たいがいてき:externally:N3}に[宣言]{せんげん:declare:N1}する[文書]{ぶんしょ:document:N4}であり、[組織]{そしき:organization:N1}の[姿勢]{しせい:stance:N1}を[示す]{しめす:show:N3}ものです。[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}[保護]{ほご:protection:N1}[法]{ほう:law:N3}そのものに[策定]{さくてい:formulation:N1}[義務]{ぎむ:obligation:N1}はありませんが、ガイドラインや[認証]{にんしょう:certification:N1}[制度]{せいど:system:N3}（プライバシーマーク、ISMS）では[必須]{ひっす:mandatory:N1}[要件]{ようけん:requirement:N3}とされています。\n\n#en\nThe first step to organizationally promote personal information protection is formulating a basic policy (privacy policy). A basic policy is a document that externally declares how a business operator handles personal information, showing the organization's stance. The Personal Information Protection Act itself does not mandate its formulation, but guidelines and certification systems (Privacy Mark, ISMS) require it.\n::\n\n::heading\n[基本]{きほん:basic:N1}[方針]{ほうしん:policy:N2}の[記載]{きさい:description:N1}[事項]{じこう:matters:N1}\n\n#en\nItems to include in the basic policy\n::\n\n::para\n[基本]{きほん:basic:N1}[方針]{ほうしん:policy:N2}に[記載]{きさい:describe:N1}すべき[項目]{こうもく:item:N1}は[以下]{いか:following:N4}のとおりです。[第一]{だいいち:first:N1}に、[事業者]{じぎょうしゃ:business operator:N4}の[名称]{めいしょう:name:N1}と[代表者]{だいひょうしゃ:representative:N3}[名]{めい:name:N5}。[第二]{だいに:second:N1}に、[関係]{かんけい:related:N3}[法令]{ほうれい:laws and regulations:N2}・ガイドライン[等]{とう:etc.:N3}の[遵守]{じゅんしゅ:compliance:N1}を[宣言]{せんげん:declare:N1}する[条項]{じょうこう:clause:N1}。[第三]{だいさん:third:N1}に、[安全]{あんぜん:safety:N3}[管理]{かんり:management:N2}[措置]{そち:measures:N1}に[関する]{かんする:regarding:N3}[事項]{じこう:matters:N1}。[第四]{だいよん:fourth:N1}に、[苦情]{くじょう:complaint:N3}および[問合せ]{といあわせ:inquiry:N3}の[窓口]{まどぐち:contact point:N3}[情報]{じょうほう:information:N3}。[第五]{だいご:fifth:N1}に、[継続的]{けいぞくてき:continuous:N1}[改善]{かいぜん:improvement:N1}への[取り組み]{とりくみ:commitment:N3}。これらの[項目]{こうもく:item:N1}を[明確]{めいかく:clear:N3}に[記載]{きさい:describe:N1}した[上]{うえ:after:N5}で、ウェブサイト[等]{とう:etc.:N3}を[通じて]{つうじて:through:N4}[外部]{がいぶ:external:N3}に[公表]{こうひょう:announce:N3}しなければなりません。プライバシーマーク[取得]{しゅとく:acquisition:N3}[企業]{きぎょう:company:N1}では、JIS Q 15001の[要求]{ようきゅう:requirement:N3}[事項]{じこう:matters:N1}に[沿った]{そった:in line with:N1}[内容]{ないよう:content:N3}が[求められ]{もとめられ:required:N3}、ISMSでは[情報]{じょうほう:information:N3}[セキュリティ]{セキュリティ:security}[方針]{ほうしん:policy:N2}との[整合性]{せいごうせい:consistency:N1}が[重要]{じゅうよう:important:N3}です。\n\n#en\nThe items that should be stated in the basic policy are as follows. First, the name of the business operator and its representative. Second, a clause declaring compliance with related laws, regulations, and guidelines. Third, matters regarding safety management measures. Fourth, contact information for complaints and inquiries. Fifth, commitment to continuous improvement. After clearly describing these items, it must be publicly announced through the website, etc. For companies with the Privacy Mark, content in line with JIS Q 15001 requirements is needed; for ISMS, consistency with the information security policy is important.\n::\n\n::callout\n[試験]{しけん:exam:N4}のポイント：[基本]{きほん:basic:N1}[方針]{ほうしん:policy:N2}は[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}[保護法]{ほごほう:protection law:N1}[上]{じょう:on:N5}の[義務]{ぎむ:obligation:N1}ではない（×[法定]{ほうてい:statutory:N3}[義務]{ぎむ:obligation:N1}）が、プライバシーマーク（JIS Q 15001）・ISMS（ISO\u002FIEC 27001）では[必須]{ひっす:mandatory:N1}という[点]{てん:point:N3}が[頻出]{ひんしゅつ:frequently appearing:N1}。[記載]{きさい:description:N1}5[項目]{こうもく:item:N1}（[事業者]{じぎょうしゃ:business operator:N4}[名]{めい:name:N5}／[法令]{ほうれい:laws:N2}[遵守]{じゅんしゅ:compliance:N1}／[安全]{あんぜん:safety:N3}[管理]{かんり:management:N2}／[問合せ]{といあわせ:inquiry:N3}[窓口]{まどぐち:contact point:N3}／[継続的]{けいぞくてき:continuous:N1}[改善]{かいぜん:improvement:N1}）と、「[外部]{がいぶ:external:N3}[公表]{こうひょう:announcement:N3}が[必要]{ひつよう:necessary:N3}」という[要件]{ようけん:requirement:N3}を[押さえ]{おさえ:grasp:N3}ましょう。\n\n#en\nExam point: The basic policy is NOT a statutory obligation under the Personal Information Protection Act, but it IS mandatory for Privacy Mark (JIS Q 15001) and ISMS (ISO\u002FIEC 27001) — this distinction frequently appears. Memorize the five required items (operator name \u002F legal compliance \u002F safety management \u002F inquiry contact \u002F continuous improvement) and the requirement that the policy must be publicly announced externally.\n::\n\n::heading\n[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}の[洗い出し]{あらいだし:identification:N3}と[台帳]{だいちょう:ledger:N1}[管理]{かんり:management:N2}\n\n#en\nIdentifying personal information and ledger management\n::\n\n::para\n[基本]{きほん:basic:N1}[方針]{ほうしん:policy:N2}を[策定]{さくてい:formulate:N1}したら、[次]{つぎ:next:N3}は[組織]{そしき:organization:N1}が[保有]{ほゆう:hold:N1}する[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}をすべて[洗い出し]{あらいだし:identify:N3}、[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}[管理]{かんり:management:N2}[台帳]{だいちょう:ledger:N1}で[一元的]{いちげんてき:centralized:N4}に[管理]{かんり:manage:N2}します。[台帳]{だいちょう:ledger:N1}に[記録]{きろく:record:N2}すべき[項目]{こうもく:item:N1}は、データ[項目]{こうもく:item:N1}（[氏名]{しめい:name:N1}、[住所]{じゅうしょ:address:N3}、[電話]{でんわ:telephone:N5}[番号]{ばんごう:number:N3}[等]{とう:etc.:N3}）、[利用]{りよう:use:N3}[目的]{もくてき:purpose:N4}、[保管]{ほかん:storage:N1}[場所]{ばしょ:location:N3}（[物理]{ぶつり:physical:N4}\u002F[電子]{でんし:electronic:N5}）、アクセス[権限者]{けんげんしゃ:authorized person:N3}、[保管]{ほかん:storage:N1}[期限]{きげん:deadline:N3}、[管理]{かんり:management:N2}[責任者]{せきにんしゃ:person in charge:N3}です。[台帳]{だいちょう:ledger:N1}により、どの[部署]{ぶしょ:department:N2}がどのような[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}をどこに[保管]{ほかん:store:N1}しているかを[正確]{せいかく:accurately:N3}に[把握]{はあく:grasp:N1}できるようになります。\n\n#en\nAfter formulating the basic policy, the next step is to identify all personal information held by the organization and manage it centrally with a personal information management ledger. Items to record in the ledger are: data items (name, address, phone number, etc.), purpose of use, storage location (physical\u002Felectronic), authorized access persons, storage deadline, and the person in charge of management. The ledger enables accurately grasping which department stores what kind of personal information and where.\n::\n\n::para\n[個人情報保護委員会]{こじんじょうほうほごいいんかい:Personal Information Protection Commission:N1}のガイドライン[通則]{つうそく:general rules:N2}[編]{へん:part:N2}10-3（[組織的]{そしきてき:organizational:N1}[安全]{あんぜん:safety:N3}[管理]{かんり:management:N2}[措置]{そち:measures:N1}）では、[取扱]{とりあつかい:handling:N1}[状況]{じょうきょう:status:N2}を[確認]{かくにん:confirm:N3}する[手段]{しゅだん:means:N3}として[台帳]{だいちょう:ledger:N1}（[個人]{こじん:individual:N2}データ[管理]{かんり:management:N2}[簿]{ぼ:register:N1}）の[整備]{せいび:maintenance:N1}が[明示的]{めいじてき:explicitly:N3}に[要請]{ようせい:requested:N1}されています。[台帳]{だいちょう:ledger:N1}は[紙]{かみ:paper:N4}でも[電子]{でんし:electronic:N5}でも[構いません]{かまいません:acceptable:N3}が、[更新]{こうしん:update:N3}[履歴]{りれき:history:N1}が[追える]{おえる:traceable:N3}こと、[権限]{けんげん:authority:N3}[者]{しゃ:person:N4}のみが[改訂]{かいてい:revise:N1}できることが[実務]{じつむ:practical:N3}[上]{じょう:on:N5}の[要件]{ようけん:requirement:N3}です。[外部]{がいぶ:external:N3}[委託]{いたく:outsourcing:N1}[先]{さき:destination:N5}に[預けて]{あずけて:entrusted:N2}いるデータも[漏れ]{もれ:omission:N1}なく[記載]{きさい:describe:N1}し、[委託]{いたく:outsourcing:N1}[先]{さき:destination:N5}[名]{めい:name:N5}・[契約]{けいやく:contract:N1}[期間]{きかん:period:N3}・[提供]{ていきょう:provision:N1}[範囲]{はんい:scope:N1}を[明示]{めいじ:specify:N3}します。\n\n#en\nThe Personal Information Protection Commission's General Rules Guidelines Part 10-3 (organizational safety management measures) explicitly requires the maintenance of a ledger (personal data management register) as a means of confirming handling status. The ledger may be paper-based or electronic, but practical requirements include: update history must be traceable, and only authorized persons may revise it. Data entrusted to external outsourcing destinations must also be recorded without omission, with the outsourcing destination name, contract period, and provision scope clearly specified.\n::\n\n::heading\nライフサイクル[管理]{かんり:management:N2}：[各]{かく:each:N2}[段階]{だんかい:stage:N2}の[管理]{かんり:control:N2}\n\n#en\nLifecycle management: controls at each stage\n::\n\n::para\n[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}にはライフサイクルがあり、[取得]{しゅとく:acquisition:N3}→[利用]{りよう:use:N3}→[保管]{ほかん:storage:N1}→[提供]{ていきょう:provision:N1}→[廃棄]{はいき:disposal:N1}の[各]{かく:each:N2}[段階]{だんかい:stage:N2}で[適切]{てきせつ:appropriate:N3}な[管理]{かんり:management:N2}が[必要]{ひつよう:necessary:N3}です。[取得]{しゅとく:acquisition:N3}[段階]{だんかい:stage:N2}では、[利用]{りよう:use:N3}[目的]{もくてき:purpose:N4}の[特定]{とくてい:specify:N3}と[本人]{ほんにん:the person:N5}への[通知]{つうち:notification:N4}・[公表]{こうひょう:announcement:N3}が[求められ]{もとめられ:required:N3}ます。[利用]{りよう:use:N3}[段階]{だんかい:stage:N2}では、[目的]{もくてき:purpose:N4}[外]{がい:outside:N5}[利用]{りよう:use:N3}の[禁止]{きんし:prohibition:N2}を[徹底]{てってい:thoroughness:N1}します。[保管]{ほかん:storage:N1}[段階]{だんかい:stage:N2}では、[暗号化]{あんごうか:encryption:N3}や[施錠]{せじょう:locking:N1}[管理]{かんり:management:N2}で[漏洩]{ろうえい:leakage:N1}を[防ぎ]{ふせぎ:prevent:N2}ます。[提供]{ていきょう:provision:N1}[段階]{だんかい:stage:N2}では、[第三者]{だいさんしゃ:third party:N1}[提供]{ていきょう:provision:N1}の[制限]{せいげん:restriction:N3}と[記録]{きろく:record:N2}[義務]{ぎむ:obligation:N1}を[遵守]{じゅんしゅ:comply:N1}します。[廃棄]{はいき:disposal:N1}[段階]{だんかい:stage:N2}では、[復元]{ふくげん:restoration:N2}[不可能]{ふかのう:impossible:N3}な[方法]{ほうほう:method:N3}（シュレッダー、[磁気]{じき:magnetic:N1}[消去]{しょうきょ:erasure:N3}、[物理]{ぶつり:physical:N4}[破壊]{はかい:destruction:N1}）で[確実]{かくじつ:reliably:N3}に[処分]{しょぶん:dispose of:N3}します。\n\n#en\nPersonal information has a lifecycle, and appropriate management is needed at each stage: acquisition, use, storage, provision, and disposal. At the acquisition stage, specifying the purpose of use and notifying\u002Fannouncing it to the individual is required. At the use stage, prohibition of use beyond the stated purpose is enforced. At the storage stage, leakage is prevented through encryption and locked storage management. At the provision stage, restrictions on third-party provision and record-keeping obligations are complied with. At the disposal stage, information is reliably disposed of using irrecoverable methods (shredding, magnetic erasure, physical destruction).\n::\n\n::heading\n[個人]{こじん:individual:N2}データの[棚卸し]{たなおろし:inventory:N1}\n\n#en\nPersonal data inventory\n::\n\n::para\n[個人]{こじん:individual:N2}データの[棚卸し]{たなおろし:inventory:N1}とは、[台帳]{だいちょう:ledger:N1}の[内容]{ないよう:content:N3}が[実態]{じったい:actual situation:N1}と[一致]{いっち:match:N1}しているかを[定期的]{ていきてき:periodically:N3}に[確認]{かくにん:confirm:N3}する[作業]{さぎょう:task:N4}です。[新規]{しんき:new:N3}[業務]{ぎょうむ:operations:N3}の[開始]{かいし:start:N4}や[組織]{そしき:organization:N1}[変更]{へんこう:change:N3}に[伴い]{ともない:accompanying:N1}、[台帳]{だいちょう:ledger:N1}に[未]{み:not yet:N3}[登録]{とうろく:register:N2}の[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}が[発生]{はっせい:occur:N4}していないか、[利用]{りよう:use:N3}[目的]{もくてき:purpose:N4}が[変更]{へんこう:change:N3}されていないか、[保管]{ほかん:storage:N1}[期限]{きげん:deadline:N3}を[過ぎた]{すぎた:exceeded:N3}データが[残って]{のこって:remaining:N3}いないかを[点検]{てんけん:inspect:N1}します。[棚卸し]{たなおろし:inventory:N1}は[年]{ねん:year:N5}に[一回]{いっかい:once:N3}[以上]{いじょう:or more:N4}[実施]{じっし:implement:N1}することが[推奨]{すいしょう:recommended:N1}されます。\n\n#en\nData inventory (棚卸し) is the task of periodically confirming whether the ledger content matches the actual situation. It inspects whether unregistered personal information has emerged due to new business operations or organizational changes, whether purposes of use have been modified, or whether data past its storage deadline remains. It is recommended to conduct an inventory at least once per year.\n::\n\n::heading\nリスクの[認識]{にんしき:recognition:N3}と[特定]{とくてい:identification:N3}\n\n#en\nRisk recognition and identification\n::\n\n::para\nリスクの[認識]{にんしき:recognition:N3}とは、[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}のライフサイクルの[各]{かく:each:N2}[段階]{だんかい:stage:N2}において、[漏洩]{ろうえい:leakage:N1}・[滅失]{めっしつ:loss:N1}・[毀損]{きそん:damage:N1}がどのように[発生]{はっせい:occur:N4}しうるかを[特定]{とくてい:identify:N3}することです。[例えば]{たとえば:for example:N3}、[取得]{しゅとく:acquisition:N3}[段階]{だんかい:stage:N2}では[不正]{ふせい:unauthorized:N4}[取得]{しゅとく:acquisition:N3}や[同意]{どうい:consent:N4}[不備]{ふび:deficiency:N3}、[保管]{ほかん:storage:N1}[段階]{だんかい:stage:N2}では[不正]{ふせい:unauthorized:N4}アクセスや[媒体]{ばいたい:media:N1}の[紛失]{ふんしつ:loss:N1}、[廃棄]{はいき:disposal:N1}[段階]{だんかい:stage:N2}では[復元]{ふくげん:restoration:N2}[可能]{かのう:possible:N3}な[状態]{じょうたい:state:N1}での[廃棄]{はいき:disposal:N1}などがリスクとして[挙げられ]{あげられ:be cited:N1}ます。[脅威]{きょうい:threat:N1}（[外部]{がいぶ:external:N3}[攻撃]{こうげき:attack:N1}、[内部]{ないぶ:internal:N3}[不正]{ふせい:fraud:N4}、[自然]{しぜん:natural:N3}[災害]{さいがい:disaster:N1}）と[脆弱性]{ぜいじゃくせい:vulnerability:N1}（[対策]{たいさく:countermeasure:N1}の[不足]{ふそく:insufficiency:N4}）の[両面]{りょうめん:both sides:N3}から[洗い出し]{あらいだし:identify:N3}ます。\n\n#en\nRisk recognition means identifying how leakage, loss, and damage can occur at each stage of the personal information lifecycle. For example, at the acquisition stage: unauthorized acquisition or consent deficiencies; at the storage stage: unauthorized access or loss of media; at the disposal stage: disposal in a recoverable state, and so on. Risks are identified from both the perspective of threats (external attacks, internal fraud, natural disasters) and vulnerabilities (insufficiency of countermeasures).\n::\n\n::para\nリスクアセスメントは[国際]{こくさい:international:N3}[規格]{きかく:standard:N3}ISO 31000で[体系化]{たいけいか:systematized:N1}されており、「リスクの[特定]{とくてい:identification:N3}（identification）→リスク[分析]{ぶんせき:analysis:N1}（analysis）→リスク[評価]{ひょうか:evaluation:N1}（evaluation）」の3[段階]{だんかい:stage:N2}で[構成]{こうせい:compose:N3}されます。[特定]{とくてい:identify:N3}[段階]{だんかい:stage:N2}では[情報]{じょうほう:information:N3}[資産]{しさん:asset:N3}[台帳]{だいちょう:ledger:N1}を[元]{もと:basis:N4}に[脅威]{きょうい:threat:N1}と[脆弱性]{ぜいじゃくせい:vulnerability:N1}を[列挙]{れっきょ:enumerate:N1}し、[分析]{ぶんせき:analysis:N1}[段階]{だんかい:stage:N2}で[発生]{はっせい:occurrence:N4}[可能性]{かのうせい:likelihood:N3}と[影響度]{えいきょうど:impact:N1}を[見積もり]{みつもり:estimate:N3}、[評価]{ひょうか:evaluation:N1}[段階]{だんかい:stage:N2}で[受容]{じゅよう:acceptance:N3}[基準]{きじゅん:criteria:N1}（リスク[受容]{じゅよう:acceptance:N3}レベル）と[比較]{ひかく:compare:N1}します。[受容]{じゅよう:acceptance:N3}[基準]{きじゅん:criteria:N1}を[上回る]{うわまわる:exceed:N3}リスクは[対応]{たいおう:response:N1}が[必須]{ひっす:mandatory:N1}、[下回る]{したまわる:below:N3}リスクは[受容]{じゅよう:acceptance:N3}（保有）として[文書化]{ぶんしょか:document:N3}します。\n\n#en\nRisk assessment is systematized in the international standard ISO 31000, consisting of three stages: risk identification → risk analysis → risk evaluation. In the identification stage, threats and vulnerabilities are enumerated based on the information asset ledger; in the analysis stage, likelihood of occurrence and impact are estimated; in the evaluation stage, results are compared against acceptance criteria (risk acceptance level). Risks exceeding the criteria require treatment; risks below the criteria are documented as accepted (retained).\n::\n\n::heading\nリスク[分析]{ぶんせき:analysis:N1}：[定性的]{ていせいてき:qualitative:N3}[分析]{ぶんせき:analysis:N1}と[定量的]{ていりょうてき:quantitative:N2}[分析]{ぶんせき:analysis:N1}\n\n#en\nRisk analysis: qualitative vs quantitative\n::\n\n::para\n[特定]{とくてい:identified:N3}したリスクを[分析]{ぶんせき:analyze:N1}する[手法]{しゅほう:method:N3}には、[定性的]{ていせいてき:qualitative:N3}[分析]{ぶんせき:analysis:N1}と[定量的]{ていりょうてき:quantitative:N2}[分析]{ぶんせき:analysis:N1}の2つがあります。[定性的]{ていせいてき:qualitative:N3}[分析]{ぶんせき:analysis:N1}では、リスクを「[高]{こう:high:N5}」「[中]{ちゅう:medium:N5}」「[低]{てい:low:N2}」のように[段階]{だんかい:level:N2}で[評価]{ひょうか:evaluate:N1}します。[定量的]{ていりょうてき:quantitative:N2}[分析]{ぶんせき:analysis:N1}では、[金額]{きんがく:monetary amount:N2}で[算出]{さんしゅつ:calculate:N2}します。[代表的]{だいひょうてき:representative:N3}な[計算]{けいさん:calculation:N2}[式]{しき:formula:N3}がALE（[年間]{ねんかん:annual:N5}[予想]{よそう:expected:N3}[損失額]{そんしつがく:loss amount:N2}）= SLE（1[回]{かい:time:N3}あたりの[予想]{よそう:expected:N3}[損失額]{そんしつがく:loss amount:N2}）× ARO（[年間]{ねんかん:annual:N5}[発生]{はっせい:occurrence:N4}[率]{りつ:rate:N1}）です。[例えば]{たとえば:for example:N3}、1[件]{けん:case:N3}の[漏洩]{ろうえい:leakage:N1}で500[万]{まん:10,000:N5}[円]{えん:yen:N5}の[損害]{そんがい:damage:N2}が[見込まれ]{みこまれ:estimated:N3}、[年]{ねん:year:N5}に0.1[回]{かい:time:N3}[発生]{はっせい:occur:N4}するなら、ALE = 50[万]{まん:10,000:N5}[円]{えん:yen:N5}となります。\n\n#en\nThere are two methods for analyzing identified risks: qualitative analysis and quantitative analysis. Qualitative analysis evaluates risks in levels such as \"high,\" \"medium,\" and \"low.\" Quantitative analysis calculates in monetary amounts. The representative formula is ALE (Annual Loss Expectancy) = SLE (Single Loss Expectancy) × ARO (Annualized Rate of Occurrence). For example, if one leakage incident is estimated to cause 5 million yen in damage and occurs 0.1 times per year, ALE = 500,000 yen.\n::\n\n::heading\nリスク[評価]{ひょうか:evaluation:N1}と[優先]{ゆうせん:priority:N3}[順位]{じゅんい:ranking:N2}\n\n#en\nRisk evaluation and prioritization\n::\n\n::para\nリスク[評価]{ひょうか:evaluation:N1}では、[分析]{ぶんせき:analysis:N1}[結果]{けっか:result:N1}をもとに[優先]{ゆうせん:priority:N3}[順位]{じゅんい:ranking:N2}をつけます。[一般的]{いっぱんてき:common:N2}に、[影響度]{えいきょうど:impact:N1}（[被害]{ひがい:damage:N2}の[大き]{おおき:magnitude:N5}さ）と[発生]{はっせい:occurrence:N4}[可能性]{かのうせい:likelihood:N3}（[頻度]{ひんど:frequency:N1}）の2[軸]{じく:axis:N1}で[評価]{ひょうか:evaluate:N1}します。[影響度]{えいきょうど:impact:N1}が[大きく]{おおきく:large:N5}、[発生]{はっせい:occurrence:N4}[可能性]{かのうせい:likelihood:N3}も[高い]{たかい:high:N5}リスクから[優先的]{ゆうせんてき:preferentially:N3}に[対策]{たいさく:countermeasure:N1}を[講じ]{こうじ:take:N2}ます。リスクマトリクスを[作成]{さくせい:create:N3}し、[視覚的]{しかくてき:visually:N1}に[整理]{せいり:organize:N1}することで、[経営]{けいえい:management:N2}[層]{そう:level:N2}への[説明]{せつめい:explanation:N3}にも[活用]{かつよう:utilize:N3}できます。\n\n#en\nIn risk evaluation, priorities are assigned based on the analysis results. Generally, risks are evaluated on two axes: impact (magnitude of damage) and likelihood (frequency of occurrence). Countermeasures are prioritized for risks with high impact and high likelihood. By creating a risk matrix and visually organizing it, it can also be utilized for explanations to management.\n::\n\n::heading\nリスク[対策]{たいさく:countermeasure:N1}の4つの[手法]{しゅほう:method:N3}\n\n#en\nThe four risk treatment methods\n::\n\n::para\nリスク[対策]{たいさく:countermeasure:N1}には4つの[手法]{しゅほう:method:N3}があります。[第一]{だいいち:first:N1}は[回避]{かいひ:avoidance:N1}で、リスクの[原因]{げんいん:cause:N3}となる[活動]{かつどう:activity:N3}そのものを[中止]{ちゅうし:cease:N4}します。[例]{れい:example:N3}：[不要]{ふよう:unnecessary:N3}な[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}の[収集]{しゅうしゅう:collection:N3}を[廃止]{はいし:abolish:N1}する。[第二]{だいに:second:N1}は[低減]{ていげん:reduction:N2}（[軽減]{けいげん:mitigation:N2}）で、[技術的]{ぎじゅつてき:technical:N2}・[組織的]{そしきてき:organizational:N1}な[対策]{たいさく:countermeasure:N1}でリスクを[小さく]{ちいさく:smaller:N5}します。[例]{れい:example:N3}：[暗号化]{あんごうか:encryption:N3}の[導入]{どうにゅう:introduction:N2}、アクセス[制御]{せいぎょ:control:N3}の[強化]{きょうか:strengthening:N3}。[第三]{だいさん:third:N1}は[移転]{いてん:transfer:N2}（[転嫁]{てんか:shift:N1}）で、リスクを[他者]{たしゃ:others:N3}に[移し]{うつし:transfer:N2}ます。[例]{れい:example:N3}：[損害]{そんがい:damage:N2}[賠償]{ばいしょう:compensation:N1}[保険]{ほけん:insurance:N1}の[加入]{かにゅう:enrollment:N3}、[専門]{せんもん:specialist:N2}[業者]{ぎょうしゃ:contractor:N4}への[委託]{いたく:outsourcing:N1}。[第四]{だいよん:fourth:N1}は[受容]{じゅよう:acceptance:N3}（[保有]{ほゆう:retention:N1}）で、[対策]{たいさく:countermeasure:N1}[費用]{ひよう:cost:N3}が[被害額]{ひがいがく:damage amount:N2}を[上回る]{うわまわる:exceed:N3}[場合]{ばあい:case:N3}[等]{とう:etc.:N3}に、リスクをそのまま[受け入れ]{うけいれ:accept:N3}ます。[費用]{ひよう:cost:N3}[対]{たい:versus:N3}[効果]{こうか:effect:N2}を[考慮]{こうりょ:consider:N1}して[最適]{さいてき:optimal:N3}な[組み合わせ]{くみあわせ:combination:N3}を[選択]{せんたく:select:N1}します。\n\n#en\nThere are four risk treatment methods. First is avoidance: ceasing the activity that causes the risk. Example: abolishing unnecessary collection of personal information. Second is reduction (mitigation): making the risk smaller through technical and organizational countermeasures. Example: introducing encryption, strengthening access control. Third is transfer (shift): transferring the risk to others. Example: enrolling in liability insurance, outsourcing to specialist contractors. Fourth is acceptance (retention): accepting the risk as-is when, for example, the cost of countermeasures exceeds the potential damage amount. The optimal combination is selected considering cost-effectiveness.\n::\n\n::callout\n[試験]{しけん:exam:N4}では、リスク[対策]{たいさく:countermeasure:N1}の4つの[手法]{しゅほう:method:N3}について、[具体的]{ぐたいてき:specific:N3}な[事例]{じれい:case:N3}がどの[手法]{しゅほう:method:N3}に[該当]{がいとう:applicable:N1}するかを[問う]{とう:ask:N4}[問題]{もんだい:question:N4}が[頻出]{ひんしゅつ:frequently appearing:N1}します。[回避]{かいひ:avoidance:N1}＝[活動]{かつどう:activity:N3}の[中止]{ちゅうし:cease:N4}、[低減]{ていげん:reduction:N2}＝[技術的]{ぎじゅつてき:technical:N2}・[組織的]{そしきてき:organizational:N1}[対策]{たいさく:countermeasure:N1}、[移転]{いてん:transfer:N2}＝[保険]{ほけん:insurance:N1}・[外部]{がいぶ:external:N3}[委託]{いたく:outsourcing:N1}、[受容]{じゅよう:acceptance:N3}＝[許容]{きょよう:tolerance:N3}[範囲]{はんい:scope:N1}[内]{ない:within:N3}として[受け入れる]{うけいれる:accept:N3}、という[対応]{たいおう:correspondence:N1}を[正確]{せいかく:accurately:N3}に[覚え]{おぼえ:memorize:N3}ましょう。\n\n#en\nOn the exam, questions frequently ask which method a specific case corresponds to among the four risk treatment methods. Memorize accurately: avoidance = ceasing the activity, reduction = technical\u002Forganizational countermeasures, transfer = insurance\u002Fexternal outsourcing, acceptance = accepting within tolerance.\n::\n\n::heading\n[規程]{きてい:regulation:N3}[文書]{ぶんしょ:document:N4}の[階層]{かいそう:hierarchy:N2}[体系]{たいけい:system:N1}\n\n#en\nHierarchical structure of regulation documents\n::\n\n::para\n[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}[保護]{ほご:protection:N1}を[確実]{かくじつ:reliably:N3}に[実行]{じっこう:execute:N3}するためには、[規程]{きてい:regulation:N3}[文書]{ぶんしょ:document:N4}を[体系的]{たいけいてき:systematically:N1}に[整備]{せいび:develop:N1}する[必要]{ひつよう:necessity:N3}があります。[文書]{ぶんしょ:document:N4}[体系]{たいけい:system:N1}は[階層]{かいそう:hierarchy:N2}[構造]{こうぞう:structure:N2}で[構成]{こうせい:compose:N3}されます。[最上位]{さいじょうい:highest level:N3}に[基本]{きほん:basic:N1}[方針]{ほうしん:policy:N2}（プライバシーポリシー）、[第二]{だいに:second:N1}[層]{そう:layer:N2}に[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}[保護]{ほご:protection:N1}[規程]{きてい:regulation:N3}（[管理]{かんり:management:N2}[規程]{きてい:regulation:N3}）、[第三]{だいさん:third:N1}[層]{そう:layer:N2}に[実施]{じっし:implementation:N1}[手順書]{てじゅんしょ:procedure manual:N2}・マニュアル、[第四]{だいよん:fourth:N1}[層]{そう:layer:N2}に[様式]{ようしき:forms:N3}・[記録]{きろく:records:N2}（[申請書]{しんせいしょ:application form:N1}、[チェック]{チェック:check}リスト、[台帳]{だいちょう:ledger:N1}）を[配置]{はいち:arrange:N3}します。\n\n#en\nTo reliably execute personal information protection, regulation documents must be systematically developed. The document system is composed in a hierarchical structure. At the highest level: the basic policy (privacy policy); second layer: personal information protection regulations (management regulations); third layer: implementation procedure manuals; fourth layer: forms and records (application forms, checklists, ledgers).\n::\n\n::heading\n[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}[保護]{ほご:protection:N1}[規程]{きてい:regulation:N3}に[盛り込む]{もりこむ:incorporate:N1}[事項]{じこう:matters:N1}\n\n#en\nMatters to incorporate in personal information protection regulations\n::\n\n::para\n[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}[保護]{ほご:protection:N1}[規程]{きてい:regulation:N3}には、[以下]{いか:following:N4}の[事項]{じこう:matters:N1}を[盛り込み]{もりこみ:incorporate:N1}ます。[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}の[取扱い]{とりあつかい:handling:N1}の[範囲]{はんい:scope:N1}（[対象]{たいしょう:target:N2}[業務]{ぎょうむ:operations:N3}、[対象]{たいしょう:target:N2}データ）、[責任者]{せきにんしゃ:person in charge:N3}の[役割]{やくわり:role:N3}と[権限]{けんげん:authority:N3}、[取得]{しゅとく:acquisition:N3}・[利用]{りよう:use:N3}の[手順]{てじゅん:procedure:N2}、[安全]{あんぜん:safety:N3}[管理]{かんり:management:N2}[措置]{そち:measures:N1}の[具体的]{ぐたいてき:specific:N3}[内容]{ないよう:content:N3}、[委託]{いたく:outsourcing:N1}[先]{さき:destination:N5}[管理]{かんり:management:N2}[基準]{きじゅん:criteria:N1}、[事故]{じこ:incident:N1}[発生]{はっせい:occurrence:N4}[時]{じ:time:N5}の[対応]{たいおう:response:N1}[手順]{てじゅん:procedure:N2}です。これらの[規程]{きてい:regulation:N3}は[全]{ぜん:all:N3}[従業者]{じゅうぎょうしゃ:workers:N1}に[周知]{しゅうち:disseminate:N2}し、[閲覧]{えつらん:browsing:N1}[可能]{かのう:possible:N3}な[状態]{じょうたい:state:N1}にしておかなければなりません。\n\n#en\nThe personal information protection regulations incorporate the following matters: the scope of personal information handling (target operations, target data), roles and authority of responsible persons, procedures for acquisition and use, specific content of safety management measures, contractor management criteria, and incident response procedures. These regulations must be disseminated to all workers and kept in a browsable state.\n::\n\n::para\n[規程]{きてい:regulation:N3}[文書]{ぶんしょ:document:N4}は[改訂]{かいてい:revision:N1}[履歴]{りれき:history:N1}を[明確]{めいかく:clearly:N3}に[管理]{かんり:manage:N2}しなければなりません。[版]{はん:version:N2}[番号]{ばんごう:number:N3}・[改訂]{かいてい:revision:N1}[日付]{ひづけ:date:N3}・[改訂]{かいてい:revision:N1}[内容]{ないよう:content:N3}・[承認]{しょうにん:approval:N2}[者]{しゃ:person:N4}を[文書]{ぶんしょ:document:N4}[冒頭]{ぼうとう:beginning:N1}に[記載]{きさい:describe:N1}し、[旧]{きゅう:old:N2}[版]{はん:version:N2}は[一定]{いってい:fixed:N3}[期間]{きかん:period:N3}[保管]{ほかん:store:N1}した[上]{うえ:after:N5}で[廃版]{はいはん:obsolete:N1}[表示]{ひょうじ:mark:N3}とします。[現行]{げんこう:current:N3}[版]{はん:version:N2}と[旧]{きゅう:old:N2}[版]{はん:version:N2}が[混在]{こんざい:coexist:N2}することを[防ぐ]{ふせぐ:prevent:N2}ため、[文書]{ぶんしょ:document:N4}[管理]{かんり:management:N2}[台帳]{だいちょう:ledger:N1}で[一元的]{いちげんてき:centrally:N4}に[管理]{かんり:manage:N2}し、[全]{ぜん:all:N3}[従業者]{じゅうぎょうしゃ:workers:N1}が[常]{つね:always:N3}に[最新]{さいしん:latest:N3}[版]{はん:version:N2}を[参照]{さんしょう:reference:N2}できる[体制]{たいせい:system:N3}を[整え]{ととのえ:establish:N1}ます。イントラネットや[文書]{ぶんしょ:document:N4}[管理]{かんり:management:N2}システムでの[集中]{しゅうちゅう:centralized:N4}[管理]{かんり:management:N2}が[望ましい]{のぞましい:desirable:N3}とされています。\n\n#en\nRegulation documents must clearly manage their revision history. Version number, revision date, revision content, and approver are stated at the beginning of the document. Old versions are stored for a fixed period, then marked as obsolete. To prevent coexistence of current and old versions, documents are managed centrally via a document management ledger, establishing a system where all workers can always reference the latest version. Centralized management via intranet or document management systems is considered desirable.\n::\n\n::heading\nPDCAサイクルによる[継続的]{けいぞくてき:continuous:N1}[改善]{かいぜん:improvement:N1}\n\n#en\nContinuous improvement through the PDCA cycle\n::\n\n::para\n[規程]{きてい:regulation:N3}[文書]{ぶんしょ:document:N4}の[運用]{うんよう:operation:N4}にはPDCAサイクルを[適用]{てきよう:apply:N3}します。Plan（[計画]{けいかく:plan:N4}）：[規程]{きてい:regulation:N3}の[策定]{さくてい:formulation:N1}・[改訂]{かいてい:revision:N1}。Do（[実行]{じっこう:execution:N3}）：[規程]{きてい:regulation:N3}に[基づく]{もとづく:based on:N1}[日常]{にちじょう:daily:N3}[運用]{うんよう:operation:N4}。Check（[点検]{てんけん:inspection:N1}）：[内部]{ないぶ:internal:N3}[監査]{かんさ:audit:N1}や[自己]{じこ:self:N1}[点検]{てんけん:inspection:N1}による[適合性]{てきごうせい:conformity:N3}の[確認]{かくにん:confirmation:N3}。Act（[改善]{かいぜん:improvement:N1}）：[不備]{ふび:deficiency:N3}の[是正]{ぜせい:correction:N1}、[法令]{ほうれい:laws and regulations:N2}[改正]{かいせい:amendment:N2}や[社会]{しゃかい:society:N4}[環境]{かんきょう:environment:N1}の[変化]{へんか:change:N3}に[対応]{たいおう:respond:N1}した[見直し]{みなおし:review:N3}。このサイクルを[継続的]{けいぞくてき:continuously:N1}に[回す]{まわす:turn:N3}ことで、[個人]{こじん:individual:N2}[情報]{じょうほう:information:N3}[保護]{ほご:protection:N1}の[水準]{すいじゅん:standard:N2}を[維持]{いじ:maintain:N1}・[向上]{こうじょう:improve:N3}させます。[特]{とく:especially:N4}に、[法令]{ほうれい:laws and regulations:N2}[改正]{かいせい:amendment:N2}[時]{じ:time:N5}には[速やか]{すみやか:promptly:N3}に[規程]{きてい:regulation:N3}を[改訂]{かいてい:revise:N1}することが[不可欠]{ふかけつ:indispensable:N3}です。\n\n#en\nThe PDCA cycle is applied to the operation of regulation documents. Plan: formulation and revision of regulations. Do: daily operation based on regulations. Check: confirmation of conformity through internal audits and self-inspections. Act: correction of deficiencies, review in response to legal amendments and changes in the social environment. By continuously turning this cycle, the standard of personal information protection is maintained and improved. In particular, it is indispensable to promptly revise regulations when laws are amended.\n::\n\n::para\n[規程]{きてい:regulation:N3}を[整備]{せいび:develop:N1}しただけでは[不十分]{ふじゅうぶん:insufficient:N4}で、[内部]{ないぶ:internal:N3}[監査]{かんさ:audit:N1}と[経営]{けいえい:management:N2}[層]{そう:layer:N2}による[見直し]{みなおし:review:N3}（マネジメントレビュー）で[実効性]{じっこうせい:effectiveness:N2}を[確保]{かくほ:secure:N1}します。[内部]{ないぶ:internal:N3}[監査]{かんさ:audit:N1}は[独立性]{どくりつせい:independence:N1}を[保つ]{たもつ:maintain:N1}ため、[被]{ひ:subject:N2}[監査]{かんさ:audit:N1}[部門]{ぶもん:department:N2}[以外]{いがい:other than:N4}の[者]{しゃ:person:N4}が[実施]{じっし:implement:N1}します。[指摘]{してき:finding:N1}[事項]{じこう:matter:N1}は[是正]{ぜせい:corrective:N1}[処置]{しょち:action:N3}[報告書]{ほうこくしょ:report:N3}にまとめ、[期限]{きげん:deadline:N3}を[定めて]{さだめて:set:N3}[改善]{かいぜん:improvement:N1}を[完了]{かんりょう:complete:N2}させます。マネジメントレビューでは[経営]{けいえい:management:N2}[層]{そう:layer:N2}が[監査]{かんさ:audit:N1}[結果]{けっか:result:N1}・[事故]{じこ:incident:N1}[発生]{はっせい:occurrence:N4}[状況]{じょうきょう:status:N2}・[法令]{ほうれい:laws:N2}[改正]{かいせい:amendment:N2}を[受け]{うけ:in light of:N3}、[資源]{しげん:resources:N1}[配分]{はいぶん:allocation:N3}や[方針]{ほうしん:policy:N2}[変更]{へんこう:change:N3}を[決定]{けってい:decide:N3}します。\n\n#en\nMerely developing regulations is insufficient; effectiveness is secured through internal audits and management-level reviews (management review). Internal audits are conducted by persons outside the audited department to maintain independence. Findings are compiled into corrective action reports, and improvements are completed within set deadlines. In management review, executives decide on resource allocation and policy changes in light of audit results, incident occurrence status, and legal amendments.\n::\n\n::callout\n[試験]{しけん:exam:N4}のポイント：PDCAサイクルの[各]{かく:each:N2}[段階]{だんかい:stage:N2}と[対応]{たいおう:corresponding:N1}する[活動]{かつどう:activity:N3}が[問われ]{とわれ:asked:N4}ます。Plan＝[規程]{きてい:regulation:N3}[策定]{さくてい:formulation:N1}、Do＝[日常]{にちじょう:daily:N3}[運用]{うんよう:operation:N4}、Check＝[内部]{ないぶ:internal:N3}[監査]{かんさ:audit:N1}・[自己]{じこ:self:N1}[点検]{てんけん:inspection:N1}、Act＝[是正]{ぜせい:corrective:N1}[処置]{しょち:action:N3}・マネジメントレビュー。[特]{とく:especially:N4}に「[内部]{ないぶ:internal:N3}[監査]{かんさ:audit:N1}はCheckに[該当]{がいとう:belongs:N1}」「マネジメントレビューはAct（または[改善]{かいぜん:improvement:N1}フェーズ）」という[対応]{たいおう:correspondence:N1}を[問う]{とう:ask:N4}[問題]{もんだい:question:N4}が[多い]{おおい:common:N4}です。\n\n#en\nExam point: Questions ask which PDCA stage corresponds to which activity. Plan = formulating regulations, Do = daily operation, Check = internal audit \u002F self-inspection, Act = corrective action \u002F management review. In particular, questions often test the correspondence: \"internal audit belongs to Check\" and \"management review belongs to Act (or improvement phase).\"\n::\n",{"id":198,"title":204,"titleEn":205,"topicPath":206,"questions":207},"第２編 組織的・人的セキュリティ 確認テスト","Chapter 2: Organizational & Human Security — Practice Test","software\u002Fkojin-joho-hogo\u002Fkadai-2\u002Fhen-02-soshikiteki-jinteki",[208,235,259,283,307,330,354,378,402,426,450,474,497],{"id":209,"articleId":6,"question":210,"options":213,"correctLabel":215,"explanation":230,"tags":233},"kjh-k2-h02-q01",{"en":211,"jp":212},"Among the four risk treatment methods, what is it called when you stop the activity that causes the risk entirely?","リスク[対策]{たいさく:countermeasure}の4[手法]{しゅほう:methods}のうち、リスクの[原因]{げんいん:cause}となる[活動]{かつどう:activity}[自体]{じたい:itself}を[取]{と:take}りやめることを[何]{なに:what}というか。",[214,218,222,226],{"label":215,"jp":216,"en":217},"ア","リスク[回避]{かいひ:avoidance}","Risk avoidance",{"label":219,"jp":220,"en":221},"イ","リスク[低減]{ていげん:reduction}","Risk reduction",{"label":223,"jp":224,"en":225},"ウ","リスク[移転]{いてん:transfer}","Risk transfer",{"label":227,"jp":228,"en":229},"エ","リスク[受容]{じゅよう:acceptance}","Risk acceptance",{"en":231,"jp":232},"Risk avoidance means discontinuing the activity that causes the risk. Reduction lowers the probability or impact through security measures. Transfer shifts the risk to others via insurance or outsourcing. Acceptance means tolerating the risk as-is.","リスク[回避]{かいひ:avoidance}は、リスクの[原因]{げんいん:cause}となる[活動]{かつどう:activity}そのものを[中止]{ちゅうし:discontinue}する[方法]{ほうほう:method}。[低減]{ていげん:reduction}はセキュリティ[対策]{たいさく:countermeasure}で[発生]{はっせい:occurrence}[確率]{かくりつ:probability}や[影響]{えいきょう:impact}を[下]{さ:lower}げること、[移転]{いてん:transfer}は[保険]{ほけん:insurance}や[外部]{がいぶ:external}[委託]{いたく:outsourcing}でリスクを[他者]{たしゃ:others}に[移]{うつ:transfer}すこと、[受容]{じゅよう:acceptance}はリスクをそのまま[受]{う:accept}け[入]{い:accept}れることである。",[234],"risk-management",{"id":236,"articleId":237,"question":238,"options":241,"correctLabel":223,"explanation":254,"tags":257},"kjh-k2-h02-q02","kjh-k1-h04-anzen-kanri",{"en":239,"jp":240},"Which of the following is NOT included in the organizational safety management measures under the Personal Information Protection Act guidelines?","[個人情報]{こじんじょうほう:personal information}[保護法]{ほごほう:protection law}ガイドラインにおける[組織的]{そしきてき:organizational}[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}に[含]{ふく:include}まれないものはどれか。",[242,245,248,251],{"label":215,"jp":243,"en":244},"[組織]{そしき:organization}[体制]{たいせい:structure}の[整備]{せいび:establishment}","Establishment of organizational structure",{"label":219,"jp":246,"en":247},"[個人]{こじん:personal}データの[取扱]{とりあつかい:handling}いに[係]{かか:related}る[規律]{きりつ:rules}の[整備]{せいび:establishment}","Establishment of rules for handling personal data",{"label":223,"jp":249,"en":250},"[従業者]{じゅうぎょうしゃ:employee}に対する[教育]{きょういく:education}・[訓練]{くんれん:training}の[実施]{じっし:implementation}","Implementation of education and training for employees",{"label":227,"jp":252,"en":253},"[取扱]{とりあつかい:handling}[状況]{じょうきょう:status}を[確認]{かくにん:confirm}する[手段]{しゅだん:means}の[整備]{せいび:establishment}","Establishment of means to confirm handling status",{"en":255,"jp":256},"Organizational safety management measures consist of 5 items: (1) organizational structure, (2) rules for handling, (3) means to confirm handling status, (4) incident response structure, and (5) review of handling status and safety measures. Education and training for employees falls under \"human safety management measures.\"","[組織的]{そしきてき:organizational}[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}は、(1)[組織]{そしき:organization}[体制]{たいせい:structure}の[整備]{せいび:establishment}、(2)[規律]{きりつ:rules}の[整備]{せいび:establishment}、(3)[取扱]{とりあつかい:handling}[状況]{じょうきょう:status}の[確認]{かくにん:confirmation}[手段]{しゅだん:means}、(4)[漏]{ろう:leak}えい[事案]{じあん:incident}への[対応]{たいおう:response}[体制]{たいせい:structure}、(5)[取扱]{とりあつかい:handling}[状況]{じょうきょう:status}の[把握]{はあく:grasp}・[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}の[見直]{みなお:review}しの5[項目]{こうもく:items}。[従業者]{じゅうぎょうしゃ:employee}への[教育]{きょういく:education}・[訓練]{くんれん:training}は「[人的]{じんてき:human}[安全]{あんぜん:safety}[管理]{かんり:management}[措置]{そち:measures}」に[該当]{がいとう:applicable}する。",[258],"organizational-measures",{"id":260,"articleId":237,"question":261,"options":264,"correctLabel":223,"explanation":277,"tags":280},"kjh-k2-h02-q03",{"en":262,"jp":263},"Which of the following correctly defines \"employee\" (juugyousha) under the Personal Information Protection Act?","[個人情報]{こじんじょうほう:personal information}[保護法]{ほごほう:protection law}における「[従業者]{じゅうぎょうしゃ:employee}」の[定義]{ていぎ:definition}として[正]{ただ:correct}しいものはどれか。",[265,268,271,274],{"label":215,"jp":266,"en":267},"[正]{せい:regular}[社員]{しゃいん:employee}のみを[指]{さ:refer to}す","Refers only to regular (full-time) employees",{"label":219,"jp":269,"en":270},"[正]{せい:regular}[社員]{しゃいん:employee}および[契約]{けいやく:contract}[社員]{しゃいん:employee}のみを[指]{さ:refer to}す","Refers only to regular and contract employees",{"label":223,"jp":272,"en":273},"[雇用]{こよう:employment}[関係]{かんけい:relationship}にある[従業員]{じゅうぎょういん:employee}のほか、[取締役]{とりしまりやく:director}、[派遣]{はけん:dispatch}[社員]{しゃいん:worker}[等]{とう:etc.}も[含]{ふく:include}む","Includes employees in an employment relationship, as well as directors, dispatched workers, etc.",{"label":227,"jp":275,"en":276},"[業務]{ぎょうむ:business}[委託先]{いたくさき:outsourcing partner}の[社員]{しゃいん:employee}も[含]{ふく:include}む","Also includes employees of outsourcing partners",{"en":278,"jp":279},"\"Employee\" under the Act includes all persons working under the command of the business operator: regular employees, directors, executive officers, trustees, auditors, dispatched workers, etc. However, employees of outsourcing partners are NOT included.","[個人情報]{こじんじょうほう:personal information}[保護法]{ほごほう:protection law}の「[従業者]{じゅうぎょうしゃ:employee}」は、[雇用]{こよう:employment}[関係]{かんけい:relationship}にある[従業員]{じゅうぎょういん:employee}だけでなく、[取締役]{とりしまりやく:director}、[執行役]{しっこうやく:executive officer}、[理事]{りじ:trustee}、[監査役]{かんさやく:auditor}、[派遣]{はけん:dispatch}[社員]{しゃいん:worker}[等]{とう:etc.}、[事業者]{じぎょうしゃ:business operator}の[指揮]{しき:command}[命令]{めいれい:order}の[下]{もと:under}で[業務]{ぎょうむ:business}に[従事]{じゅうじ:engage}する[者]{もの:person}すべてを[含]{ふく:include}む。ただし、[委託先]{いたくさき:outsourcing partner}の[社員]{しゃいん:employee}は[含]{ふく:include}まない。",[281,282],"human-measures","employee-definition",{"id":284,"articleId":285,"question":286,"options":289,"correctLabel":227,"explanation":302,"tags":305},"kjh-k2-h02-q04","kjh-k2-h02-anzen-kanri-sochi",{"en":287,"jp":288},"Which of the following is NOT included in the three elements of outsourcing partner supervision?","[委託先]{いたくさき:outsourcing partner}の[監督]{かんとく:supervision}における3[要素]{ようそ:elements}に[含]{ふく:include}まれないものはどれか。",[290,293,296,299],{"label":215,"jp":291,"en":292},"[適切]{てきせつ:appropriate}な[委託先]{いたくさき:outsourcing partner}の[選定]{せんてい:selection}","Appropriate selection of the outsourcing partner",{"label":219,"jp":294,"en":295},"[委託]{いたく:outsourcing}[契約]{けいやく:contract}の[締結]{ていけつ:conclusion}","Conclusion of an outsourcing contract",{"label":223,"jp":297,"en":298},"[委託先]{いたくさき:outsourcing partner}における[取扱]{とりあつかい:handling}[状況]{じょうきょう:status}の[把握]{はあく:grasp}","Monitoring the handling status at the outsourcing partner",{"label":227,"jp":300,"en":301},"[委託先]{いたくさき:outsourcing partner}[社員]{しゃいん:employee}への[直接]{ちょくせつ:direct}[指揮]{しき:command}[命令]{めいれい:order}","Direct command and control of the outsourcing partner's employees",{"en":303,"jp":304},"The three elements of outsourcing partner supervision are: (1) appropriate selection, (2) conclusion of a contract, and (3) monitoring handling status. Directly commanding the outsourcing partner's employees could constitute disguised contracting (gisou ukeoi) and is not part of proper supervision.","[委託先]{いたくさき:outsourcing partner}[監督]{かんとく:supervision}の3[要素]{ようそ:elements}は、(1)[適切]{てきせつ:appropriate}な[委託先]{いたくさき:outsourcing partner}の[選定]{せんてい:selection}、(2)[委託]{いたく:outsourcing}[契約]{けいやく:contract}の[締結]{ていけつ:conclusion}、(3)[委託先]{いたくさき:outsourcing partner}における[取扱]{とりあつかい:handling}[状況]{じょうきょう:status}の[把握]{はあく:grasp}。[委託先]{いたくさき:outsourcing partner}[社員]{しゃいん:employee}への[直接]{ちょくせつ:direct}[指揮]{しき:command}[命令]{めいれい:order}は[偽装]{ぎそう:fake}[請負]{うけおい:contracting}に[該当]{がいとう:applicable}する[恐]{おそ:fear}れがあり、[監督]{かんとく:supervision}の[要素]{ようそ:element}ではない。",[306],"outsourcing-supervision",{"id":308,"articleId":285,"question":309,"options":312,"correctLabel":227,"explanation":325,"tags":328},"kjh-k2-h02-q05",{"en":310,"jp":311},"What should be done FIRST when a personal data breach occurs?","[個人]{こじん:personal}データの[漏]{ろう:leak}えい[等]{とう:etc.}が[発生]{はっせい:occur}した[場合]{ばあい:case}の[対応]{たいおう:response}フローとして[最初]{さいしょ:first}に[行]{おこな:perform}うべきことはどれか。",[313,316,319,322],{"label":215,"jp":314,"en":315},"[個人情報]{こじんじょうほう:personal information}[保護]{ほご:protection}[委員会]{いいんかい:commission}への[報告]{ほうこく:report}","Reporting to the Personal Information Protection Commission",{"label":219,"jp":317,"en":318},"[本人]{ほんにん:the individual}への[通知]{つうち:notification}","Notifying the individual",{"label":223,"jp":320,"en":321},"[事実]{じじつ:fact}[関係]{かんけい:relationship}の[調査]{ちょうさ:investigation}および[原因]{げんいん:cause}の[究明]{きゅうめい:investigation}","Investigation of the facts and root cause analysis",{"label":227,"jp":323,"en":324},"[事業者]{じぎょうしゃ:business operator}[内部]{ないぶ:internal}における[報告]{ほうこく:report}および[被害]{ひがい:damage}[拡大]{かくだい:expansion}[防止]{ぼうし:prevention}","Internal reporting and prevention of further damage",{"en":326,"jp":327},"The breach response flow is: (1) internal reporting and damage containment, (2) fact-finding and root cause analysis, (3) scope identification, (4) recurrence prevention, and (5) reporting to the PPC and notifying the individual. Internal reporting and containment come first.","[漏]{ろう:leak}えい[等]{とう:etc.}[発生]{はっせい:occurrence}[時]{じ:time}のフローは、まず(1)[事業者]{じぎょうしゃ:business operator}[内部]{ないぶ:internal}での[報告]{ほうこく:report}・[被害]{ひがい:damage}[拡大]{かくだい:expansion}[防止]{ぼうし:prevention}、(2)[事実]{じじつ:fact}[関係]{かんけい:relationship}の[調査]{ちょうさ:investigation}・[原因]{げんいん:cause}[究明]{きゅうめい:investigation}、(3)[影響]{えいきょう:impact}[範囲]{はんい:scope}の[特定]{とくてい:identification}、(4)[再発]{さいはつ:recurrence}[防止策]{ぼうしさく:prevention measures}、(5)[個人情報]{こじんじょうほう:personal information}[保護]{ほご:protection}[委員会]{いいんかい:commission}への[報告]{ほうこく:report}・[本人]{ほんにん:the individual}への[通知]{つうち:notification}の[順]{じゅん:order}で[行]{おこな:perform}う。",[329],"incident-response",{"id":331,"articleId":285,"question":332,"options":335,"correctLabel":215,"explanation":348,"tags":351},"kjh-k2-h02-q06",{"en":333,"jp":334},"In establishing the organizational structure, which position oversees the entire personal information protection system of the business operator?","[組織]{そしき:organizational}[体制]{たいせい:structure}の[整備]{せいび:establishment}において、[事業者]{じぎょうしゃ:business operator}[全体]{ぜんたい:overall}の[個人]{こじん:personal}[情報]{じょうほう:information}[保護]{ほご:protection}[体制]{たいせい:system}を[統括]{とうかつ:oversee}する[役職]{やくしょく:position}はどれか。",[336,339,342,345],{"label":215,"jp":337,"en":338},"CPO（Chief Privacy Officer）","CPO (Chief Privacy Officer)",{"label":219,"jp":340,"en":341},"[個人]{こじん:personal}[情報]{じょうほう:information}[保護]{ほご:protection}[監査]{かんさ:audit}[責任者]{せきにんしゃ:officer}","Personal Information Protection Audit Officer",{"label":223,"jp":343,"en":344},"[部門]{ぶもん:division}[長]{ちょう:manager}","Division Manager",{"label":227,"jp":346,"en":347},"[取扱]{とりあつかい:handling}[担当者]{たんとうしゃ:staff}","Handling Staff",{"en":349,"jp":350},"The CPO (Chief Privacy Officer) sits at the top and oversees the entire organization's personal information protection system. The audit officer conducts audits from a position independent of the CPO. Division managers supervise at the field level, and handling staff are the workers who actually handle personal data.","CPO（Chief Privacy Officer）は[最]{もっと:most}[上位]{じょうい:top}に[配置]{はいち:placed}され、[組織]{そしき:organization}[全体]{ぜんたい:entire}の[個人]{こじん:personal}[情報]{じょうほう:information}[保護]{ほご:protection}[体制]{たいせい:system}を[統括]{とうかつ:oversee}する。[監査]{かんさ:audit}[責任者]{せきにんしゃ:officer}はCPOから[独立]{どくりつ:independent}した[立場]{たちば:position}で[監査]{かんさ:audit}を[行う]{おこなう:perform}。[部門]{ぶもん:division}[長]{ちょう:manager}は[現場]{げんば:field}[レベル]{レベル:level}での[監督]{かんとく:supervision}、[取扱]{とりあつかい:handling}[担当者]{たんとうしゃ:staff}は[実際]{じっさい:actual}に[個人]{こじん:personal}データを[扱う]{あつかう:handle}[者]{もの:persons}である。",[352,353],"organizational-structure","CPO",{"id":355,"articleId":285,"question":356,"options":359,"correctLabel":227,"explanation":372,"tags":375},"kjh-k2-h02-q07",{"en":357,"jp":358},"Which of the following is NOT a triggering condition for the leakage reporting obligation under Article 26 of the amended Personal Information Protection Act?","[改正]{かいせい:amended}[個人]{こじん:personal}[情報]{じょうほう:information}[保護法]{ほごほう:Protection Act}[第]{だい:Article}26[条]{じょう:article}における[漏]{ろう:leak}えい[等]{とう:etc.}[報告]{ほうこく:report}[義務]{ぎむ:obligation}の[対象]{たいしょう:subject}[要件]{ようけん:requirement}に[該当]{がいとう:applicable}しないものはどれか。",[360,363,366,369],{"label":215,"jp":361,"en":362},"[要]{よう:requiring}[配慮]{はいりょ:consideration}[個人]{こじん:personal}[情報]{じょうほう:information}の[漏]{ろう:leak}えい","Leakage of specially-care-required personal information",{"label":219,"jp":364,"en":365},"[不正]{ふせい:unauthorized}[利用]{りよう:use}による[財産的]{ざいさんてき:property}[被害]{ひがい:damage}の[恐]{おそ:fear}れがある[漏]{ろう:leak}えい","Leakage that may cause property damage through unauthorized use",{"label":223,"jp":367,"en":368},"[不正]{ふせい:unauthorized}な[目的]{もくてき:purpose}による[恐]{おそ:fear}れがある[漏]{ろう:leak}えい","Leakage suspected of being for unauthorized purposes",{"label":227,"jp":370,"en":371},"100[人]{にん:persons}を[超]{こ:exceed}える[漏]{ろう:leak}えい","Leakage exceeding 100 individuals",{"en":373,"jp":374},"The numerical threshold is \"leakage exceeding 1,000 persons,\" not 100. The other three are all conditions that mandate reporting to the PPC and notifying the individual. Reporting is in two stages: preliminary report (within 3-5 days of discovery) and definitive report (within 30 days; 60 days for unauthorized-purpose cases).","[数]{かず:numerical}[的]{てき:-ical}[要件]{ようけん:requirement}は「1,000[人]{にん:persons}を[超]{こ:exceed}える[漏]{ろう:leak}えい」であり、100[人]{にん:persons}ではない。[他]{ほか:other}の3つはすべてPPCへの[報告]{ほうこく:report}・[本人]{ほんにん:individual}[通知]{つうち:notification}が[義務]{ぎむ:mandatory}づけられる[要件]{ようけん:condition}。[報告]{ほうこく:report}は[速報]{そくほう:preliminary report}（[発見]{はっけん:discovery}から3〜5[日]{にち:days}[以内]{いない:within}）と[確報]{かくほう:definitive report}（30[日]{にち:days}[以内]{いない:within}、[不正]{ふせい:unauthorized}[目的]{もくてき:purpose}は60[日]{にち:days}）の2[段階]{だんかい:stages}で[行う]{おこなう:made}。",[376,377],"breach-reporting","article-26",{"id":379,"articleId":285,"question":380,"options":383,"correctLabel":227,"explanation":396,"tags":399},"kjh-k2-h02-q08",{"en":381,"jp":382},"Which of the following is NOT an appropriate point in time to conclude or confirm a non-disclosure agreement (NDA)?","[秘密]{ひみつ:secret}[保持]{ほじ:maintenance}[契約]{けいやく:contract}（NDA）の[締結]{ていけつ:conclusion}[時]{じ:time}[点]{てん:point}として[適切]{てきせつ:appropriate}でないものはどれか。",[384,387,390,393],{"label":215,"jp":385,"en":386},"[入社]{にゅうしゃ:joining the company}[時]{じ:time}に[誓約書]{せいやくしょ:pledge}を[提出]{ていしゅつ:submit}させる","Submitting a pledge upon joining the company",{"label":219,"jp":388,"en":389},"[部署]{ぶしょ:department}[異動]{いどう:transfer}[時]{じ:time}に[再度]{さいど:again}[確認]{かくにん:confirm}する","Re-confirming upon department transfer",{"label":223,"jp":391,"en":392},"[退職]{たいしょく:resignation}[時]{じ:time}に[退職]{たいしょく:after leaving}[後]{ご:after}も[継続]{けいぞく:continuing}する[守秘]{しゅひ:confidentiality}[義務]{ぎむ:obligation}を[書面]{しょめん:in writing}で[確認]{かくにん:confirm}する","Confirming the continuing post-resignation confidentiality obligation in writing at resignation",{"label":227,"jp":394,"en":395},"[採用]{さいよう:hiring}[面接]{めんせつ:interview}の[段階]{だんかい:stage}で[応募者]{おうぼしゃ:applicant}[全員]{ぜんいん:all}に[締結]{ていけつ:conclude}させる","Requiring all applicants to sign at the recruitment interview stage",{"en":397,"jp":398},"NDAs are concluded and confirmed at three points: joining, department transfer, and resignation. At the recruitment interview stage, no employment relationship exists yet, so it would lack effectiveness. Provisions should also be in employment rules, with disciplinary actions for violations clearly stated.","NDAは[入社]{にゅうしゃ:joining}[時]{じ:time}・[部署]{ぶしょ:department}[異動]{いどう:transfer}[時]{じ:time}・[退職]{たいしょく:resignation}[時]{じ:time}の3つの[時点]{じてん:points in time}で[締結]{ていけつ:concluded}・[確認]{かくにん:confirmed}する。[採用]{さいよう:recruitment}[面接]{めんせつ:interview}[段階]{だんかい:stage}では[雇用]{こよう:employment}[関係]{かんけい:relationship}が[成立]{せいりつ:established}しておらず[実効性]{じっこうせい:effectiveness}に[乏しい]{とぼしい:lacking}。[就業]{しゅうぎょう:employment}[規則]{きそく:rules}にも[規定]{きてい:provisions}を[設け]{もうけ:establish}、[違反]{いはん:violation}[時]{じ:case}の[懲戒]{ちょうかい:disciplinary}[処分]{しょぶん:action}を[明記]{めいき:state}する。",[400,401],"NDA","confidentiality",{"id":403,"articleId":285,"question":404,"options":407,"correctLabel":219,"explanation":420,"tags":423},"kjh-k2-h02-q09",{"en":405,"jp":406},"Which of the following correctly describes internal audits?","[内部]{ないぶ:internal}[監査]{かんさ:audit}についての[説明]{せつめい:explanation}として[正]{ただ:correct}しいものはどれか。",[408,411,414,417],{"label":215,"jp":409,"en":410},"[監査]{かんさ:audit}は[被]{ひ:audited}[監査]{かんさ:audit}[部門]{ぶもん:department}と[同]{おな:same}じ[部門]{ぶもん:department}が[実施]{じっし:conduct}する","Audits are conducted by the same department as the audited department",{"label":219,"jp":412,"en":413},"PDCAサイクルの「Check」と「Act」に[該当]{がいとう:correspond}し、[年]{ねん:year}に1[回]{かい:time}[以上]{いじょう:or more}[実施]{じっし:conduct}するのが[望]{のぞ:desirable}ましい","Corresponds to \"Check\" and \"Act\" in the PDCA cycle and is desirable to conduct at least once per year",{"label":223,"jp":415,"en":416},"[監査]{かんさ:audit}[結果]{けっか:results}は[機密]{きみつ:confidential}[性]{せい:-ity}[保持]{ほじ:maintenance}のため[経営]{けいえい:management}[層]{そう:level}には[報告]{ほうこく:report}しない","Audit results are not reported to management for confidentiality reasons",{"label":227,"jp":418,"en":419},"[外部]{がいぶ:external}[環境]{かんきょう:environment}の[変化]{へんか:change}は[監査]{かんさ:audit}や[見直し]{みなおし:review}には[影響]{えいきょう:influence}しない","External environment changes do not affect audits or reviews",{"en":421,"jp":422},"Internal audits correspond to \"Check\" and \"Act\" in PDCA and are desirably conducted at least once a year. Audits must be conducted objectively from an independent position (audit officer independent of the CPO). Results are reported to management, with corrective measures taken. Reviews are conducted in response to legal amendments and new threats.","[内部]{ないぶ:internal}[監査]{かんさ:audit}はPDCAの「Check（[点検]{てんけん:check}）」「Act（[改善]{かいぜん:improvement}）」に[該当]{がいとう:corresponds}し、[年]{ねん:year}1[回]{かい:time}[以上]{いじょう:or more}が[望]{のぞ:desired}ましい。[監査]{かんさ:audit}は[独立]{どくりつ:independent}した[立場]{たちば:position}（CPOから[独立]{どくりつ:independent}した[監査]{かんさ:audit}[責任者]{せきにんしゃ:officer}）から[客観的]{きゃっかんてき:objectively}に[行う]{おこなう:conducted}必要があり、[結果]{けっか:results}は[経営]{けいえい:management}[層]{そう:level}に[報告]{ほうこく:report}し[是正]{ぜせい:corrective}[措置]{そち:measures}を[講]{こう:take}じる。[法令]{ほうれい:legal}[改正]{かいせい:amendments}や[新た]{あらた:new}な[脅威]{きょうい:threats}に[応]{おう:in response to}じて[見直]{みなお:review}しを[行う]{おこなう:conducted}。",[424,425],"internal-audit","PDCA",{"id":427,"articleId":6,"question":428,"options":431,"correctLabel":219,"explanation":444,"tags":447},"kjh-k2-h02-q10",{"en":429,"jp":430},"In the hierarchical document structure for personal information protection, which document is at the highest level?","[個人]{こじん:personal}[情報]{じょうほう:information}[保護]{ほご:protection}に[関]{かん:related}する[規程]{きてい:regulation}[文書]{ぶんしょ:documents}の[階層]{かいそう:hierarchy}[構造]{こうぞう:structure}において、[最上位]{さいじょうい:highest level}に[位置]{いち:positioned}するのはどれか。",[432,435,438,441],{"label":215,"jp":433,"en":434},"[実施]{じっし:implementation}[手順書]{てじゅんしょ:procedure manual}・マニュアル","Implementation procedure manuals",{"label":219,"jp":436,"en":437},"[基本]{きほん:basic}[方針]{ほうしん:policy}（プライバシーポリシー）","Basic policy (privacy policy)",{"label":223,"jp":439,"en":440},"[個人]{こじん:personal}[情報]{じょうほう:information}[保護]{ほご:protection}[規程]{きてい:regulation}（[管理]{かんり:management}[規程]{きてい:regulation}）","Personal information protection regulations (management regulations)",{"label":227,"jp":442,"en":443},"[様式]{ようしき:forms}・[記録]{きろく:records}（[申請書]{しんせいしょ:application forms}・[台帳]{だいちょう:ledgers}）","Forms and records (application forms, ledgers)",{"en":445,"jp":446},"The document system has 4 tiers: highest = basic policy (privacy policy); second = protection regulations; third = implementation procedure manuals; fourth = forms and records. Higher-level documents show organizational intent; lower-level documents stipulate concrete operations.","[文書]{ぶんしょ:document}[体系]{たいけい:system}は4[層]{そう:tiers}：[最上位]{さいじょうい:highest}＝[基本]{きほん:basic}[方針]{ほうしん:policy}（プライバシーポリシー）、[第二]{だいに:second}[層]{そう:layer}＝[保護]{ほご:protection}[規程]{きてい:regulation}、[第三]{だいさん:third}[層]{そう:layer}＝[実施]{じっし:implementation}[手順書]{てじゅんしょ:procedure manual}、[第四]{だいよん:fourth}[層]{そう:layer}＝[様式]{ようしき:forms}・[記録]{きろく:records}。[上位]{じょうい:higher}[文書]{ぶんしょ:documents}は[組織]{そしき:organization}の[意思]{いし:intent}を[示し]{しめし:show}、[下位]{かい:lower}[文書]{ぶんしょ:documents}は[具体的]{ぐたいてき:concrete}な[運用]{うんよう:operation}を[規定]{きてい:stipulate}する。",[448,449],"policy-hierarchy","privacy-policy",{"id":451,"articleId":6,"question":452,"options":455,"correctLabel":219,"explanation":468,"tags":471},"kjh-k2-h02-q11",{"en":453,"jp":454},"Which is the correct formula for calculating ALE (Annual Loss Expectancy) in quantitative risk analysis?","[定量的]{ていりょうてき:quantitative}リスク[分析]{ぶんせき:analysis}における ALE（Annual Loss Expectancy）の[計算]{けいさん:calculation}[式]{しき:formula}として[正]{ただ:correct}しいものはどれか。",[456,459,462,465],{"label":215,"jp":457,"en":458},"ALE ＝ [脅威]{きょうい:threat} × [脆弱性]{ぜいじゃくせい:vulnerability}","ALE = Threat x Vulnerability",{"label":219,"jp":460,"en":461},"ALE ＝ SLE × ARO","ALE = SLE x ARO",{"label":223,"jp":463,"en":464},"ALE ＝ [資産]{しさん:asset}[価値]{かち:value} ÷ [発生]{はっせい:occurrence}[頻度]{ひんど:frequency}","ALE = Asset Value \u002F Occurrence Frequency",{"label":227,"jp":466,"en":467},"ALE ＝ [被害]{ひがい:damage}[額]{がく:amount} ＋ [対策]{たいさく:countermeasure}[費用]{ひよう:cost}","ALE = Damage Amount + Countermeasure Cost",{"en":469,"jp":470},"ALE (Annual Loss Expectancy) = SLE (Single Loss Expectancy) x ARO (Annualized Rate of Occurrence). Example: if a single leak causes 5 million yen damage and occurs 0.1 times\u002Fyear, ALE = 500,000 yen. Qualitative analysis uses level ratings like \"high\u002Fmedium\u002Flow.\"","ALE（Annual Loss Expectancy、[年間]{ねんかん:annual}[予想]{よそう:expected}[損失額]{そんしつがく:loss amount}）＝SLE（Single Loss Expectancy、1[回]{かい:one}[当]{あ:per}たりの[損失額]{そんしつがく:loss amount}）×ARO（Annualized Rate of Occurrence、[年間]{ねんかん:annual}[発生]{はっせい:occurrence}[頻度]{ひんど:frequency}）。[例]{れい:example}：1[回]{かい:one}の[漏]{ろう:leak}えいで500[万]{まん:10,000}[円]{えん:yen}の[被害]{ひがい:damage}が[予想]{よそう:expected}され、[年]{ねん:year}0.1[回]{かい:times}[発生]{はっせい:occur}するなら、ALE＝50[万]{まん:10,000}[円]{えん:yen}。[定性的]{ていせいてき:qualitative}[分析]{ぶんせき:analysis}は「[高]{こう:high}・[中]{ちゅう:medium}・[低]{てい:low}」のレベル[評価]{ひょうか:evaluation}である。",[472,93,473],"risk-analysis","ALE",{"id":475,"articleId":285,"question":476,"options":479,"correctLabel":219,"explanation":492,"tags":495},"kjh-k2-h02-q12",{"en":477,"jp":478},"What may a situation be considered when an outsourcer directly commands the outsourcing partner's employees?","[委託先]{いたくさき:outsourcing partner}[社員]{しゃいん:employee}を[委託元]{いたくもと:outsourcer}[企業]{きぎょう:company}が[直接]{ちょくせつ:directly}[指揮]{しき:command}[命令]{めいれい:order}した[場合]{ばあい:case}に[該当]{がいとう:applicable}する[恐]{おそ:concern}れがあるものはどれか。",[480,483,486,489],{"label":215,"jp":481,"en":482},"[適法]{てきほう:legal}な[業務]{ぎょうむ:business}[委託]{いたく:outsourcing}","Legal business outsourcing",{"label":219,"jp":484,"en":485},"[偽装]{ぎそう:disguised}[請負]{うけおい:contracting}","Disguised contracting (gisou ukeoi)",{"label":223,"jp":487,"en":488},"[再]{さい:sub-}[委託]{いたく:outsourcing}","Subcontracting",{"label":227,"jp":490,"en":491},"[労働]{ろうどう:labor}[者]{しゃ:worker}[派遣]{はけん:dispatch}","Worker dispatch",{"en":493,"jp":494},"Under a business outsourcing (contracting) agreement, command and control of the outsourcing partner's employees should be performed by the outsourcing partner company. If the outsourcer directly commands them, the actual situation is no different from worker dispatch and may constitute \"disguised contracting\" (gisou ukeoi), which violates the Worker Dispatch Act.","[業務]{ぎょうむ:business}[委託]{いたく:outsourcing}（[請負]{うけおい:contracting}）[契約]{けいやく:contract}では、[委託先]{いたくさき:outsourcing partner}[社員]{しゃいん:employee}への[指揮]{しき:command}[命令]{めいれい:order}は[委託先]{いたくさき:outsourcing partner}[企業]{きぎょう:company}が[行う]{おこなう:perform}べき。[委託元]{いたくもと:outsourcer}が[直接]{ちょくせつ:directly}[指揮]{しき:command}[命令]{めいれい:order}すると[実態]{じったい:reality}は[労働]{ろうどう:labor}[者]{しゃ:worker}[派遣]{はけん:dispatch}と[変]{か:change}わらず、「[偽装]{ぎそう:disguised}[請負]{うけおい:contracting}」に[該当]{がいとう:applicable}する[恐]{おそ:fear}れがあり、[労働]{ろうどう:labor}[者]{しゃ:worker}[派遣法]{はけんほう:Dispatch Act}[違反]{いはん:violation}となる。",[306,496],"gisou-ukeoi",{"id":498,"articleId":285,"question":499,"options":502,"correctLabel":219,"explanation":515,"tags":518},"kjh-k2-h02-q13",{"en":500,"jp":501},"Which is the correct deadline (in principle) for submitting the \"definitive report\" (kakuhou) under the amended Personal Information Protection Act after a leak?","[改正]{かいせい:amended}[個人]{こじん:personal}[情報]{じょうほう:information}[保護法]{ほごほう:Protection Act}における[漏]{ろう:leak}えい[時]{じ:time}の「[確報]{かくほう:definitive report}」の[提出]{ていしゅつ:submission}[期限]{きげん:deadline}（[原則]{げんそく:in principle}）として[正]{ただ:correct}しいものはどれか。",[503,506,509,512],{"label":215,"jp":504,"en":505},"[発見]{はっけん:discovery}から3〜5[日]{にち:days}[以内]{いない:within}","Within 3-5 days of discovery",{"label":219,"jp":507,"en":508},"[発見]{はっけん:discovery}から30[日]{にち:days}[以内]{いない:within}","Within 30 days of discovery",{"label":223,"jp":510,"en":511},"[発見]{はっけん:discovery}から60[日]{にち:days}[以内]{いない:within}","Within 60 days of discovery",{"label":227,"jp":513,"en":514},"[発見]{はっけん:discovery}から90[日]{にち:days}[以内]{いない:within}","Within 90 days of discovery",{"en":516,"jp":517},"Reporting to the PPC after a leak is in two stages: preliminary report = within 3-5 days of discovery (outline), definitive report = within 30 days (including cause and recurrence prevention measures). However, for leaks with unauthorized purposes, the deadline is extended to within 60 days.","[漏]{ろう:leak}えい[時]{じ:time}のPPCへの[報告]{ほうこく:report}は2[段階]{だんかい:stages}：[速報]{そくほう:preliminary report}＝[発見]{はっけん:discovery}から3〜5[日]{にち:days}[以内]{いない:within}（[概要]{がいよう:outline}）、[確報]{かくほう:definitive report}＝30[日]{にち:days}[以内]{いない:within}（[原因]{げんいん:cause}・[再発]{さいはつ:recurrence}[防止]{ぼうし:prevention}[策]{さく:measures}まで[含]{ふく:include}む）。ただし[不正]{ふせい:unauthorized}な[目的]{もくてき:purpose}による[漏]{ろう:leak}えいは60[日]{にち:days}[以内]{いない:within}と[期限]{きげん:deadline}が[延長]{えんちょう:extended}される。",[376,519],"kakuhou"]