Difference between similar looking but different terms

Hi,

Could anyone describe the difference between [FONT=Arial, Helvetica, sans-serif]certification and accreditation? Because from what I know from real life experience does not match with what is described in the text book[/FONT]

Find more posts tagged with

Comments

nk_vn

It cannot be any clearer than the way it is described in AiO:

Certification is the technical evaluation of the security components and their compliance.

Accreditation is the management's formal acceptance of the adequacy of a system’s overall security and functionality.

Certification first, then after the management is sure that the solution is technically sound and compliant, they can formally approve it and accreditation takes place.

636-555-3226

In terms of "real life experience" think of it like taking the test.

First you take the certification test

Second someone at ISC2 looks at your certification test results and checks the box to approve your accreditation.

Hunter85

Thanks a lot for the tip, it know really makes sense

I have few more things which I would like to ask because I am finding difference between study books

1. Who is ultimately responsible for a poor programming which can lead to a data breach? Is it the developer, tester, security admin or project manager?

2. Who defines what data gets backed up and how often? Ops, management, legal, security, data owner etc...

dinhtq

Hunter85 wrote: »

Thanks a lot for the tip, it know really makes sense

I have few more things which I would like to ask because I am finding difference between study books

1. Who is ultimately responsible for a poor programming which can lead to a data breach? Is it the developer, tester, security admin or project manager?

2. Who defines what data gets backed up and how often? Ops, management, legal, security, data owner etc...

1 ) Project Manager
2) Data Owner

Hunter85

dinhtq wrote: »

1 ) Project Manager
2) Data Owner

Yeah this is what i thought so but according to study guides it is

1. Security Admin
2. Management

These are really open ended questions and I do not know which source provides the correct (or CISSP correct) answer.

Can anyone who already passed the exam (or attended) clarify if there are questions like that in the exam?

I can give more examples like. What is the first step when you want to do a risk assessment?

1 source says, identify assets, the other one says gather risk assessment team....

Sam_aqua

I go with as below -

1 - Project manager - It says Ultimately responsible, so assuming PM is the one owning the project from management side... and can't think why would Security admin be 'ultimately' responsible considering the person won't even be from management chain.

2 - Data owner, who instructs data custodian to perform data backups. Data owner are normally department heads so they are usually from management, however data owner is more specific choice here imo.

cbkihong

Hunter85 wrote: »

Yeah this is what i thought so but according to study guides it is

1. Security Admin
2. Management

Your study guides seems to stink ... agree with sam_aqua, that aligns with my impression from my study of the CBK too.