情報セキュリティ　初級編 - Week2 (M) -

The correct answer is A: 脅威 (threat) and B: 脆弱性 (vulnerability). In the context of information security, a risk refers to the potential for a threat to exploit weaknesses in information systems or organizations, causing harm to information security. Therefore, the answer choice A: 脅威 (threat) and B: 脆弱性 (vulnerability) accurately represents the concept of risk in information security.

The incorrect statement is "トップの経営者の関与が不要" which translates to "Top management involvement is not necessary." This contradicts the concept of management systems, as top management involvement is essential for effective implementation and success of the system.

PCの故障によるデータの使用不可は、可用性の維持に関係する要素です。PCの故障が発生すると、データにアクセスできなくなり、業務や作業の継続性が損なわれる可能性があります。データの使用不可は、組織や個人の生産性を低下させることがあります。そのため、可用性を維持するためには、PCの故障に備えたバックアップやデータ復旧の対策が重要です。

The correct answer is "監査対象組織と同じ部署の者が監査を実施する" (Having someone from the same department as the audited organization conduct the audit). This is not suitable because it may lead to bias and lack of objectivity in the audit process. Internal audits should be conducted by individuals who are independent and impartial to ensure an unbiased assessment of the security management system.

The correct answer is "マネジメントレビューによる継続的改善" which translates to "Continuous improvement through management review". In the PDCA cycle model of ISMS (Information Security Management System) explained in the lecture, the Plan phase includes activities such as defining the management structure, clarifying the scope of ISMS and the information to be protected, and conducting risk assessment. However, the continuous improvement through management review is not a part of the Plan phase, but rather a part of the Do, Check, and Act phases of the PDCA cycle.

The combination of "performing backups" as a task and "deterrence of unauthorized operations" as a purpose does not align. Backups are primarily carried out to ensure data recovery in case of loss or corruption, rather than preventing unauthorized operations.

The correct answer is "情報セキュリティ実施手順" because this document is specifically focused on providing detailed procedures and steps for implementing information security measures. It outlines the specific actions that need to be taken to ensure the security of information systems. On the other hand, the other options mentioned are more general in nature and may not provide the specific implementation details required.

The correct answer is the explanation that states "責任者の判断と、より専門的な技術者に解決を委ねていく段階的な仕組み" which means "A step-by-step system in which the responsible person makes decisions and delegates the resolution to more specialized technicians." This explanation describes a hierarchical escalation process where the initial responders escalate the incident to a responsible person who then assesses the situation and delegates the resolution to more specialized technicians. This ensures that the incident is handled by the appropriate personnel with the necessary expertise.

ISOは、電気分野を除く工業分野の国際規格を策定するための非政府組織です。国際標準化団体として、ISOはさまざまな分野で標準化を行っており、製品の品質、安全性、環境への配慮などを確保するための国際的な基準を策定しています。ISOの規格は、企業や組織が国際的な取引や協力を行う際に重要な役割を果たしており、国際的な品質管理システムの基礎となっています。

The correct answer is "ISMS認証制度はJIS Q 15001に適合していることを第三者が審査・認証する制度である". This statement is incorrect because ISMS認証制度 (ISMS certification system) does not specifically require conformity to JIS Q 15001. ISMS認証制度 is a system where third parties assess and certify the conformity of an organization's Information Security Management System (ISMS) with the relevant standards and requirements.