When you hear the terms Due care and Due diligence, you will think they are the same and can be interchangeable but in the information security world, they actually have two very different meanings. If you work in Information security, it is worth becoming familiar with the two terms and the difference between them as you will see they can shape your security program. In today’s business environment, prudence is mandatory. The importance of showing due care and due diligence is the only way to disprove negligence in an occurrence of loss. Senior management must have the ability to show due care and due diligence to reduce their culpability and liability when a loss occurs.
Due care is using reasonable care to protect the interests of an organization.
Due diligence is practising the activities that maintain the due care effort.
For example, due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Due diligence is the continued application of this security structure onto the IT infrastructure of an organization.
To better understand the two terms, let us break the two terms Due Care and Due Diligence – down a little further.
Difference between Due Care and Due Diligence
So both terms start with the word Due. You may have heard the phrase in reference to ‘giving something its due’. In this context, the word Due means you’re affording that item what it deserves. If we used this word in the Information security context we should always ensure that we afford to give the systems, people and data that we manage the amount of protection that they deserve.
Care – If you care about something you will do everything you possibly can to protect it, which means you will place careful thought into how you will care for it. In order to provide that level of care, you will have to set a level of rules and guidelines that is mandatory to keep it safe. If you care about the clients, personnel, data and systems you’re endeavouring to protect, then you take time to think about and create policies to protect them from harm, abuse, unauthorized access, accidental damage and destruction, etc. Using Due care and setting the rules and guidelines is only the start and will do you no good unless they are followed. This is where Due Diligence comes into play.
Diligence – The term Diligence is defined as – careful and persistent work or effort. The best way to describe the term Due diligence in the context of Information security is that it is simply the execution of due care. It’s the diligent careful and persistent work or effort placed into making sure that policies and procedures are utilized. When you exercise due care by enabling logging on a secure system, what good is it if you’re not diligent about reviewing those logs? Diligence is the persistent continual work required to make the initial care you put in valuable.
Both of these terms, due care and due diligence work hand in hand and rely on each other in the establishment and continued success of a strong security framework. Due care is useless without the effort to make it worthwhile through diligence. Policy without enforcement is yelling into the wind. But due diligence means nothing if you’ve not taken the time to establish the appropriate policy to protect what’s important to you.
In summary –
Due care is the thought put into securing your environment by creating policies and procedures to protect it. Due diligence is the effort you put into making sure those policies/procedures are enforced and utilized.