cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Nedryck
Newcomer I

Due Care vs Due Diligence

So I have come across a testing issue that has been bothering me and found a little conflict:

 

The Sybex online glossary (and book) state: 

 

Due Care: The steps taken to ensure that assets and employees of an organization have been secured and protected and that upper management has properly evaluated and assumed all unmitigated or transferred risks. due diligence The extent to which a reasonable person will endeavor under specific circumstances to avoid harming other people or property.

 

Due diligence: The extent to which a reasonable person will endeavor under specific circumstances to avoid harming other people or property

 

The (ISC)2 practice test Iphone app test question shows the following test question:

IMG_0085.jpeg

 

So my question at this point what is correct answer? This is very discouraging through my studying. 

 

 

12 Replies
Chuxing
Community Champion

I think the confusion might be clarified with several key words, such as 'standard', 'specific', 'broad'.

 

Due care is a broad, standard, more general sense of 'care', more applicable the general, broad interests of the organization,  whereas due diligence is a 'specific' action such as following policy, procedure, etc. Don't get hung over 'reasonable person', since that is expected for both.

 

Your study question contains 'standard' and 'broad', thus C is correct.

 

Just my interpretation, hope it helps.

 

Best,

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
Nedryck
Newcomer I

Honestly not really... 

 

Due care seems to be a more defined definition than Due Diligence based on the definitions. Due Care seems to stem from the broad sense of Due Diligence. Just my thoughts...  

Flyslinger2
Community Champion

In the Q the word "care" is used.  Which option does it occur in? C - don't make it harder then it is.  This is the way (ISC)2 will test you.

Baechle
Advocate I

Christopher,

 

I concur with both Chuxing and Mark.

 

First test-taking skills, generally.

 

@Flyslinger2 wrote:

In the Q the word "care" is used.  Which option does it occur in? C - don't make it harder then it is.  This is the way (ISC)2 will test you.


This needs to be amplified.  The question used the term care and that should cue for you that the answer is looking for the same feedback.

 

Second, Due Care and Due Diligence.

 

@Chuxing wrote:

I think the confusion might be clarified with several key words, such as 'standard', 'specific', 'broad'.

 

Due care is a broad, standard, more general sense of 'care', more applicable the general, broad interests of the organization,  whereas due diligence is a 'specific' action such as following policy, procedure, etc.

Due Care is a general approach to provide the best services possible.  It is broad in its scope in that the person will act as a responsible security professional addressing risks to assets and employees.

 

Due Diligence is a specific set of actions to inform yourself in the context of a specific and narrowly defined condition or activity, and avoid worsening any loss or further causing harm.  It is one component of Due Care.

 

This question and answer series has to do with your understanding of how each of these terms applies to the scope of behavior.  They can be vaguely described using practically the same language, except that one is overall professional conduct (Due Care) and the other is conduct applied to a specific problem (Due Diligence).  

 

I know it seems trite to nitpick at these definitions.  If you take on a consulting position or one where you are in senior management where something goes wrong, you may want to be able to apply these terms correctly and in their proper place when (or hopefully before) the corporate lawyers are sitting across the table from you.

 

Sincerely,

 

Eric B.

 

 

rslade
Influencer II


@Nedryck wrote:

The Sybex online glossary (and book) state: 

 


At first I thought you meant me, and then realized that mine was from Syngress.  Anyway, due care and due diligence come to us from law.  The legal literature actually shows them as roughly equivalent, so that's no help in distinguishing them for questions.  (And, I would say, if you actually came across that question in an exam, you could challenge it.  That's a bad question.)

 

If you have to distinguish between them, then due care is the reasonable care you take, and due diligence is mostly the documentation or actions or research that prove you took it.

 


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
denbesten
Community Champion

 

When you are unclear on something, it is best to check multiple resources.  Most often a different perspective will help make things clearer...

 

Harris, Shon. CISSP Boxed Set, Second Edition (All-in-One) (Kindle Locations 20967-20971).

Due care means that a company practiced common sense and prudent management and acted responsibly.

 

Due diligence means that the company properly investigated all of its possible weaknesses and vulnerabilities.

USlegal.com

Due Care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account.

 

Due Diligence is a process of acquiring objective and reliable information, generally on a person or a company, prior to a specific event or decision. It is usually a systematic research effort,

...in this case, the "clarity" is that the Sybex glossary appears to have the definitions reversed. Sybex does have an errata section on their web site, but this is not mentioned.  You might consider submitting it using their errata form.

 

 

Avoiding error is another good example of why one ought to use multiple resources when studying.

 


@Nedryck wrote:

The Sybex online glossary (and book) state: 

 

Due Care: The steps taken to ensure that assets and employees of an organization have been secured and protected and that upper management has properly evaluated and assumed all unmitigated or transferred risks.

 

Due diligence: The extent to which a reasonable person will endeavor under specific circumstances to avoid harming other people or property


rslade
Influencer II

> Nedryck (Newcomer I) moved a topic in Exam Preparation on 06-14-2018 07:52 AM in

> So I have come across a testing issue that has been bothering me and found a
> little conflict:   The Sybex online glossary (and book) state:    Due Care:
> The steps taken to ensure that assets and employees of an organization have been
> secured and protected and that upper management has properly evaluated and
> assumed all unmitigated or transferred risks. due diligence The extent to which
> a reasonable person will endeavor under specific circumstances to avoid harming
> other people or property.   Due diligence: The extent to which a reasonable
> person will endeavor under specific circumstances to avoid harming other people
> or property

OK, this is a very sticky issue, and one which it is extremely difficult to resolve.
Due care and due diligence are legal terms, and even the lawyers can't seem to
agree on the difference. Some legal dictionaries say there is a difference, some say
there isn't. For those that *do* say there is a difference, it is generally that due
care is being reasonably prudent, and due diligence is how you prove you *were*
prudent. So, in that case, Sybex is wrong and has it backwards, and the ISC2 app
test has it right. (From long experience, I would say that it is always safest to
assume that Sybex has it wrong.)

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
aidan
Viewer

Although always confusing, esp for the culture varies of daily life, in the cyber security world. due care is for common, and due diligence focus on the duties on specified components ( 3rd parties) and taking actions.
iluom
Contributor II

 

Due care and due diligence are often confused, they are related, but there is a difference between them. Due care is informal, while due diligence follows a process. Think of due diligence as a step beyond due care. For example, expecting your staff to keep their systems patched means that you expect them to exercise due care, while verifying that your staff has patched their systems is an example of due diligence.

[citing from a book written by Eric Conrad, Seth Misenar, Joshua Feldman]

 

Simple trick to follow when in doubt.

 

Due Care = DC = Do Correct

Due Diligence = DD = Do Detect

 

eg: 

A routine review of the most current SOC 2 report is a critical part of a cloud customer's due diligence for their cloud service vendor.

 

There are several approaches to risk mitigation in cloud environments. The start of security is with the selection of a CSP, and a set of documented requirements and comparison of CSP offerings against those requirements is a key due diligence activity.

 

Designing a supply chain risk management (SCRM) program to assess CSP or vendor risks is a due diligence practice, and actually performing the assessment is an example of due care.

 

in a nutshell, by practicing due care, the organization shows it has taken the necessary steps to protect itself and its workers. By practicing due diligence, the organization ensures that these security policies are properly maintained, communicated, and implemented.

 

Hope this would clear confusion...

 

Thanks

 

 

Chandra Mouli, CISSP, CCSP, CSSLP