topic Re: Due Care vs Due Diligence in Exam Preparation

Due Care vs Due Diligence

Nedryck — Thu, 14 Jun 2018 11:52:21 GMT

So I have come across a testing issue that has been bothering me and found a little conflict:

The Sybex online glossary (and book) state:

Due Care: The steps taken to ensure that assets and employees of an organization have been secured and protected and that upper management has properly evaluated and assumed all unmitigated or transferred risks. due diligence The extent to which a reasonable person will endeavor under specific circumstances to avoid harming other people or property.

Due diligence: The extent to which a reasonable person will endeavor under specific circumstances to avoid harming other people or property

The (ISC)2 practice test Iphone app test question shows the following test question:

So my question at this point what is correct answer? This is very discouraging through my studying.

Re: Due Care vs Due Diligence

Chuxing — Thu, 14 Jun 2018 13:52:30 GMT

I think the confusion might be clarified with several key words, such as 'standard', 'specific', 'broad'.

Due care is a broad, standard, more general sense of 'care', more applicable the general, broad interests of the organization, whereas due diligence is a 'specific' action such as following policy, procedure, etc. Don't get hung over 'reasonable person', since that is expected for both.

Your study question contains 'standard' and 'broad', thus C is correct.

Just my interpretation, hope it helps.

Best,

Re: Due Care vs Due Diligence

Nedryck — Thu, 14 Jun 2018 14:07:46 GMT

Honestly not really...

Due care seems to be a more defined definition than Due Diligence based on the definitions. Due Care seems to stem from the broad sense of Due Diligence. Just my thoughts...

Re: Due Care vs Due Diligence

Flyslinger2 — Thu, 14 Jun 2018 14:29:30 GMT

In the Q the word "care" is used. Which option does it occur in? C - don't make it harder then it is. This is the way (ISC)2 will test you.

Re: Due Care vs Due Diligence

Baechle — Thu, 14 Jun 2018 15:04:07 GMT

Christopher,

I concur with both Chuxing and Mark.

First test-taking skills, generally.

@Flyslinger2 wrote:
In the Q the word "care" is used. Which option does it occur in? C - don't make it harder then it is. This is the way (ISC)2 will test you.

This needs to be amplified. The question used the term care and that should cue for you that the answer is looking for the same feedback.

Second, Due Care and Due Diligence.

@Chuxing wrote:
I think the confusion might be clarified with several key words, such as 'standard', 'specific', 'broad'.

Due care is a broad, standard, more general sense of 'care', more applicable the general, broad interests of the organization, whereas due diligence is a 'specific' action such as following policy, procedure, etc.

Due Care is a general approach to provide the best services possible. It is broad in its scope in that the person will act as a responsible security professional addressing risks to assets and employees.

Due Diligence is a specific set of actions to inform yourself in the context of a specific and narrowly defined condition or activity, and avoid worsening any loss or further causing harm. It is one component of Due Care.

This question and answer series has to do with your understanding of how each of these terms applies to the scope of behavior. They can be vaguely described using practically the same language, except that one is overall professional conduct (Due Care) and the other is conduct applied to a specific problem (Due Diligence).

I know it seems trite to nitpick at these definitions. If you take on a consulting position or one where you are in senior management where something goes wrong, you may want to be able to apply these terms correctly and in their proper place when (or hopefully before) the corporate lawyers are sitting across the table from you.

Sincerely,

Eric B.

Re: Due Care vs Due Diligence

rslade — Thu, 14 Jun 2018 15:28:09 GMT

@Nedryck wrote:

The Sybex online glossary (and book) state:

At first I thought you meant me, and then realized that mine was from Syngress. Anyway, due care and due diligence come to us from law. The legal literature actually shows them as roughly equivalent, so that's no help in distinguishing them for questions. (And, I would say, if you actually came across that question in an exam, you could challenge it. That's a bad question.)

If you have to distinguish between them, then due care is the reasonable care you take, and due diligence is mostly the documentation or actions or research that prove you took it.

Re: Due Care vs Due Diligence

denbesten — Thu, 14 Jun 2018 17:14:53 GMT

When you are unclear on something, it is best to check multiple resources. Most often a different perspective will help make things clearer...

Harris, Shon. CISSP Boxed Set, Second Edition (All-in-One) (Kindle Locations 20967-20971).

Due care means that a company practiced common sense and prudent management and acted responsibly.

Due diligence means that the company properly investigated all of its possible weaknesses and vulnerabilities.

USlegal.com

Due Care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account.

Due Diligence is a process of acquiring objective and reliable information, generally on a person or a company, prior to a specific event or decision. It is usually a systematic research effort,

...in this case, the "clarity" is that the Sybex glossary appears to have the definitions reversed. Sybex does have an errata section on their web site, but this is not mentioned. You might consider submitting it using their errata form.

Avoiding error is another good example of why one ought to use multiple resources when studying.

@Nedryck wrote:
The Sybex online glossary (and book) state:

Due Care: The steps taken to ensure that assets and employees of an organization have been secured and protected and that upper management has properly evaluated and assumed all unmitigated or transferred risks.

Due diligence: The extent to which a reasonable person will endeavor under specific circumstances to avoid harming other people or property

Re: Due Care vs Due Diligence

rslade — Thu, 20 Aug 2020 18:14:48 GMT

> Nedryck (Newcomer I) moved a topic in Exam Preparation on 06-14-2018 07:52 AM in

> So I have come across a testing issue that has been bothering me and found a
> little conflict: Â The Sybex online glossary (and book) state:Â Â Due Care:
> The steps taken to ensure that assets and employees of an organization have been
> secured and protected and that upper management has properly evaluated and
> assumed all unmitigated or transferred risks. due diligence The extent to which
> a reasonable person will endeavor under specific circumstances to avoid harming
> other people or property. Â Due diligence: The extent to which a reasonable
> person will endeavor under specific circumstances to avoid harming other people
> or property

OK, this is a very sticky issue, and one which it is extremely difficult to resolve.
Due care and due diligence are legal terms, and even the lawyers can't seem to
agree on the difference. Some legal dictionaries say there is a difference, some say
there isn't. For those that *do* say there is a difference, it is generally that due
care is being reasonably prudent, and due diligence is how you prove you *were*
prudent. So, in that case, Sybex is wrong and has it backwards, and the ISC2 app
test has it right. (From long experience, I would say that it is always safest to
assume that Sybex has it wrong.)

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

Re: Due Care vs Due Diligence

aidan — Mon, 24 Jan 2022 19:46:49 GMT

Although always confusing, esp for the culture varies of daily life, in the cyber security world. due care is for common, and due diligence focus on the duties on specified components ( 3rd parties) and taking actions.

Re: Due Care vs Due Diligence

iluom — Fri, 09 Dec 2022 06:55:11 GMT

Due care and due diligence are often confused, they are related, but there is a difference between them. Due care is informal, while due diligence follows a process. Think of due diligence as a step beyond due care. For example, expecting your staff to keep their systems patched means that you expect them to exercise due care, while verifying that your staff has patched their systems is an example of due diligence.

[citing from a book written by Eric Conrad, Seth Misenar, Joshua Feldman]

Simple trick to follow when in doubt.

Due Care = DC = Do Correct

Due Diligence = DD = Do Detect

eg:

A routine review of the most current SOC 2 report is a critical part of a cloud customer's due diligence for their cloud service vendor.

There are several approaches to risk mitigation in cloud environments. The start of security is with the selection of a CSP, and a set of documented requirements and comparison of CSP offerings against those requirements is a key due diligence activity.

Designing a supply chain risk management (SCRM) program to assess CSP or vendor risks is a due diligence practice, and actually performing the assessment is an example of due care.

in a nutshell, by practicing due care, the organization shows it has taken the necessary steps to protect itself and its workers. By practicing due diligence, the organization ensures that these security policies are properly maintained, communicated, and implemented.

Hope this would clear confusion...

Thanks

Re: Due Care vs Due Diligence

CraginS — Fri, 09 Dec 2022 13:30:51 GMT

@iluom Mouli, good try at putting some order to the question, however, instill read some linguistic ambiguity to your and all previous replies in this thread.

I am convinced that @rslade Grandpa Rob had it right: The question itself is a BAD QUESTION because it tries to differentiate two legal terms in the context of non-lawyers. Subsequent posts in the thread demonstrate that there is no consistent difference between the terms in either legal or general public references.

Re: Due Care vs Due Diligence

Babnerbaptiste — Thu, 16 Mar 2023 09:33:04 GMT

This is the clearest definition I have seen on this thread regarding due care and due diligence so far. Due care is what you do, it is action where as due diligence is the paperwork you erect about your actions which includes the policies, written procedures or plan that prove you exercise due care.
Example: making regular backups and restores to test and ensure these backups are good and sound is due care while a a written backup and restore policy, the steps aka procedures you use you to perform these backups and restores represente due diligence and you can bring these documents with you in the board room when you speak with the organization's lawyer 😉

Re: Due Care vs Due Diligence

Babnerbaptiste — Thu, 16 Mar 2023 09:37:04 GMT