Announcements
Planned Site Maintenance
Due to scheduled maintenance, account creation for new Community users will be unavailable 11 a.m. Eastern October 23, 2020 – October 24, 2020. We apologize for any inconvenience.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Newcomer I

Due Care vs Due Diligence

So I have come across a testing issue that has been bothering me and found a little conflict:

 

The Sybex online glossary (and book) state: 

 

Due Care: The steps taken to ensure that assets and employees of an organization have been secured and protected and that upper management has properly evaluated and assumed all unmitigated or transferred risks. due diligence The extent to which a reasonable person will endeavor under specific circumstances to avoid harming other people or property.

 

Due diligence: The extent to which a reasonable person will endeavor under specific circumstances to avoid harming other people or property

 

The (ISC)2 practice test Iphone app test question shows the following test question:

IMG_0085.jpeg

 

So my question at this point what is correct answer? This is very discouraging through my studying. 

 

 

7 Replies
Highlighted
Community Champion

Re: Due Care vs Due Diligence

I think the confusion might be clarified with several key words, such as 'standard', 'specific', 'broad'.

 

Due care is a broad, standard, more general sense of 'care', more applicable the general, broad interests of the organization,  whereas due diligence is a 'specific' action such as following policy, procedure, etc. Don't get hung over 'reasonable person', since that is expected for both.

 

Your study question contains 'standard' and 'broad', thus C is correct.

 

Just my interpretation, hope it helps.

 

Best,

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
Highlighted
Newcomer I

Re: Due Care vs Due Diligence

Honestly not really... 

 

Due care seems to be a more defined definition than Due Diligence based on the definitions. Due Care seems to stem from the broad sense of Due Diligence. Just my thoughts...  

Highlighted
Community Champion

Re: Due Care vs Due Diligence

In the Q the word "care" is used.  Which option does it occur in? C - don't make it harder then it is.  This is the way (ISC)2 will test you.

Highlighted
Advocate I

Re: Due Care vs Due Diligence

Christopher,

 

I concur with both Chuxing and Mark.

 

First test-taking skills, generally.

 

@Flyslinger2 wrote:

In the Q the word "care" is used.  Which option does it occur in? C - don't make it harder then it is.  This is the way (ISC)2 will test you.


This needs to be amplified.  The question used the term care and that should cue for you that the answer is looking for the same feedback.

 

Second, Due Care and Due Diligence.

 

@Chuxing wrote:

I think the confusion might be clarified with several key words, such as 'standard', 'specific', 'broad'.

 

Due care is a broad, standard, more general sense of 'care', more applicable the general, broad interests of the organization,  whereas due diligence is a 'specific' action such as following policy, procedure, etc.

Due Care is a general approach to provide the best services possible.  It is broad in its scope in that the person will act as a responsible security professional addressing risks to assets and employees.

 

Due Diligence is a specific set of actions to inform yourself in the context of a specific and narrowly defined condition or activity, and avoid worsening any loss or further causing harm.  It is one component of Due Care.

 

This question and answer series has to do with your understanding of how each of these terms applies to the scope of behavior.  They can be vaguely described using practically the same language, except that one is overall professional conduct (Due Care) and the other is conduct applied to a specific problem (Due Diligence).  

 

I know it seems trite to nitpick at these definitions.  If you take on a consulting position or one where you are in senior management where something goes wrong, you may want to be able to apply these terms correctly and in their proper place when (or hopefully before) the corporate lawyers are sitting across the table from you.

 

Sincerely,

 

Eric B.

 

 

Highlighted
Community Champion

Re: Due Care vs Due Diligence


@Nedryck wrote:

The Sybex online glossary (and book) state: 

 


At first I thought you meant me, and then realized that mine was from Syngress.  Anyway, due care and due diligence come to us from law.  The legal literature actually shows them as roughly equivalent, so that's no help in distinguishing them for questions.  (And, I would say, if you actually came across that question in an exam, you could challenge it.  That's a bad question.)

 

If you have to distinguish between them, then due care is the reasonable care you take, and due diligence is mostly the documentation or actions or research that prove you took it.

 


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Community Champion

Re: Due Care vs Due Diligence

 

When you are unclear on something, it is best to check multiple resources.  Most often a different perspective will help make things clearer...

 

Harris, Shon. CISSP Boxed Set, Second Edition (All-in-One) (Kindle Locations 20967-20971).

Due care means that a company practiced common sense and prudent management and acted responsibly.

 

Due diligence means that the company properly investigated all of its possible weaknesses and vulnerabilities.

USlegal.com

Due Care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account.

 

Due Diligence is a process of acquiring objective and reliable information, generally on a person or a company, prior to a specific event or decision. It is usually a systematic research effort,

...in this case, the "clarity" is that the Sybex glossary appears to have the definitions reversed. Sybex does have an errata section on their web site, but this is not mentioned.  You might consider submitting it using their errata form.

 

 

Avoiding error is another good example of why one ought to use multiple resources when studying.

 


@Nedryck wrote:

The Sybex online glossary (and book) state: 

 

Due Care: The steps taken to ensure that assets and employees of an organization have been secured and protected and that upper management has properly evaluated and assumed all unmitigated or transferred risks.

 

Due diligence: The extent to which a reasonable person will endeavor under specific circumstances to avoid harming other people or property


Highlighted
Community Champion

Re: Due Care vs Due Diligence

> Nedryck (Newcomer I) moved a topic in Exam Preparation on 06-14-2018 07:52 AM in

> So I have come across a testing issue that has been bothering me and found a
> little conflict:   The Sybex online glossary (and book) state:    Due Care:
> The steps taken to ensure that assets and employees of an organization have been
> secured and protected and that upper management has properly evaluated and
> assumed all unmitigated or transferred risks. due diligence The extent to which
> a reasonable person will endeavor under specific circumstances to avoid harming
> other people or property.   Due diligence: The extent to which a reasonable
> person will endeavor under specific circumstances to avoid harming other people
> or property

OK, this is a very sticky issue, and one which it is extremely difficult to resolve.
Due care and due diligence are legal terms, and even the lawyers can't seem to
agree on the difference. Some legal dictionaries say there is a difference, some say
there isn't. For those that *do* say there is a difference, it is generally that due
care is being reasonably prudent, and due diligence is how you prove you *were*
prudent. So, in that case, Sybex is wrong and has it backwards, and the ISC2 app
test has it right. (From long experience, I would say that it is always safest to
assume that Sybex has it wrong.)

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468