An important concept in the CISSP exam is that of due care and due diligence. The two concepts are often confused and used interchangeably, however related, they are not the same. Let’s go through and discuss the two concepts individually, and then we’ll discuss the concepts in how they relate to IT Security.
Due Care, in very simple terms, is doing the “right” thing, or doing what a reasonable person would do in a given situation. Here is a simple example. You’re renting an apartment and you notice that your faucet is leaking. So as a reasonable person you take due care and report it before it gets worse. If due care is not taken, you may be at fault if it breaks.
Due diligence is an action created out of due care, and is described as “the management of due care.” Example. It’s been a week since you reported the leaky faucet (due care) and it’s still broken. You follow-up with to verify that it gets done (due diligence).
In The Context of Security
Let’s give an example that might apply in an enterprise environment. You’re a Vulnerability Assessment Analyst and you run a vulnerability scan on your environment. You discover 150 workstations are out of date on their patching. As per process, you submit a request to have those machines updated with up-to-date patches (due care). As a CISSP you know that due care is only half of your responsibility. A week later you run another vulnerability scan and determine that all systems have been patched (due diligence). So not only are you doing your part as a responsible vulnerability officer, but you’re also following up to ensure that due care was taken by the patching team. (Due care for the Patcher is to keep the workstations up-to-date with the latest patches. But if you were able to find out of date patches then are they really taking due care?)
As you’ve probably figured out due care and due diligence are very important legal concepts that span many Industries.