Due Care Vs. Due Diligence

I'm sure this has been brought up numerous times, but I'm getting more and more confused. I've read so many sources on this, and they seem to radically contradict each other. Even in the Cybrary CISSP videos, there's something I'm confused about. Kelly verbally says that due diligence is the research and due care is the action. OK, but there's a powerpoint slide (#7 in Legal) that says that due care is setting a policy and due diligence is enforcing that policy. These seem to be saying very different things, as I would interpret 'enforcing the policy' as the action part. Other sources (Harris and Conrad) similarly have this apparent contriadiction. Can someone help straighten my brain out around this issue? Thanks! Just to follow up on my question, here are two more quotes: Harris: Due diligence is the act of gathering the necessary information so the best decision-making activities can take place. Due care pertains to acting responsibly and “doing the right thing.” It is a legal term that defines the standards of performance that can be expected, Conrad: Whereas due care intends to set a minimum necessary standard of care to be employed by an organization , due diligence requires that an organization continually scrutinize their own practices to ensure that they are always meeting or exceeding the requirements for protection of assets and stakeholders. Due diligence is the management of due care, and it follows a formal process. From the Harris definition, it looks like due diligence is gather information and due care involves actions and performance. From Conrad's definition, due care is setting a standard, and due diligence involves the day to day actions. These "appear" to be saying almost the exact opposite. But based on the authority of the authors, I'm sure they are both right in some way. Can anyone help clear this up? Thank you! Im in the same boat. If only Kelly could see this post. Hi, Both, Due Care and Due Diligence appear to be quite confusing. Hope the below clears up the fog around it a little. **Due Care**It is also considered Legal Duty of a company. As in a company is obliged by Law to perform certain steps, if it fails to do so, then it can be held liable in court. For example, Bank should let their customers know that they will never ask for their PIN or password to avoid lawsuits or comply with laws and regulations. Excerpt From: Hernandez, Steven. “Official (ISC)2 Guide to the CISSP CBK.” - > The lack of due care is often considered negligence, and in most countries is actionable under law. If an organization is legally mandated to comply with regulations or information security requirements knowingly or unknowingly neglecting those requirements could lead to legal exposure from a due care perspective. **Due Diligence** This pertains to best practices that a company should follow to keep its head above the water(keep itself secure). If a company fails to implement these measures, it might face an attack but might not be legally liable. For example, performing penetration tests or employee background checks to find holes would be due diligence as it might not be mandated by law but its a good practice. Hope this clears up the confusion. :) Cheers!Hi, When studying for my CISSP exam, I took another approach to understanding the differences. My logic was as follows; Due Diligance; This is something a company does prior to buying a service i.e. check the service provider is compliant in the areas they claim to be i.e. Are ISO27001 Certified - not compliant. By this I mean, to be compliant is to follow a set of rules whereas being certified means they have been audited and certified/confirmed to be compliant. I took the approach of looking into another company for clarity. Due Care; This is something I would do for my company ensuring we follow the rules/regulations and best practices. In the same way as above, if my company was a service provider, due care is to ensure my company is compliant and certified to ISO27001 standards. Hope this helps. Ty. Due diligence is investigating the risks, and due care is carrying out the necessary steps to mitigate these risks I agree about the conflicting descriptions. For CISSP purposes it seems to refer to roles. Users or Custodians seem to need to practice Due Care and Management needs to practice Due Diligence. I'm not sure where I got this but I have this in my notes: Expecting your staff to keep their systems patched means you expect them to exercise due care. Verifying that your staff has patched their systems is an example of due diligence. Edit: Just realized that came from the Eric Conrad 11th Hour book pg 57 Along with what has been already pointed out, for ***risk management*** I use the terms this way: Due Diligence is the assessment of the risks (identification, likelihood, consequences if realized). That differs from the way this concept is used in related fields: in compliance and audit, due diligence is, instead, keeping current on normative. Due Care is doing what a reasonable person would do about those risks (e.g. installing and enforcing a policy, executing a procedure, or even nothing when hardening, mitigating or transferring a risk cost more than its consequences; showing due diligence is essential in this case). My 2 cents. Thanks. Thank you guys for going back and forth on this subject. Reading the post had me to cler up my understanding of Due Diligence and Due Cre. My spelling was definitely not good in that post. cler should have been clear and Cre should have been Care. This helped me with the differences: due Diligence = Detect due Care = Correct Management needs to be aware of the risks (detecting the risks ~ due diligence). Management solutions are usually delegated to IT workers (correction of the risk ~ putting controls in place ~ due care). Let me explain like this to avoid confusion: DUe -C for Care -D for Diligence C is on top of D. So Due Care is on top of Due Diligence. Management is on top of the IT. So Due Care is the functionality of Management and Due Diligence is for the IT guys. Again from the meaning of these words: Care means FEEL CONCERN Diligence means EFFORT Now Management become concern on some issues and put those issue in the policy. IT guys put their effort to remove that concern. Example: Management outlines a policy mentioning File encryption as they feel its requirement (Due Care). IT guys make effort (Diligence) to ensure that. Regards Maybe an example is more descriptive? As far as I can tell here are Due diligence / Due care for a Windows-based website running IIS, but feel free to comment, correct, etc: Due diligence - Research what threats exists for websites running IIS (and stay up-to-date through newsletters, mailing lists, etc) - Research what threats affect various applications part of the website (such as ASP.NET or PHP frameworks, databases, SSL certificates, mail servers, authentication, etc) - Determine what are the common protection mechanisms (encryption, firewalls, A/V, backup, etc) - Design IT security policies related to IIS-based websites Due care - Implement IT security policies - Constantly monitor website as per security policies - Keep the website updated with latest patches, hotfixes (according to change control policy) - If the site is compromised, identify and correct the problem, change passwords, notify users, etc (again, as per IT Security policy set in "Due diligence") So in the end, due diligence is creating a good security policy while due care is making sure that the security policy is implemented and followed to the letter. The way I have always understood them is that due care is putting policies in place "Thou shalt not use USB devices". That's all well and good, but what good is a policy if its not enforced? Due diligence is the enforcement of the policies and also researching to see if policies are still current and valid. This can include user training, inspections, exercises, etc. Closely related is due process. Due process is what we do when something goes wrong. We have a policy in place, users have been trained, but someone still brought in a thumb drive and stole customer information. So now we have a dilemma. Customers trusted us with their information, I lost it, how do I protect the information when it's not in my possession? I'll pay for credit monitoring for a certain time frame. I think this will clear out the confusion. Due care is acting responsible, due diligence is verifying those responsible actions are sufficient and that they work. For e.g. Due care refers to create security policies, procedures, and standards, to protect information in such a manner one should reasonably do. Due diligence is the effort a company makes to demonstrate due care by making sure security policies, procedures, and standards are continually maintained and operational. The way I learned this in my University class was: - Due Care = Do Correct (Setting up correct countermeasures, creating policies, etc) - Due Diligence = Do Detect (Monitoring, Auditing, etc) > Just to follow up on my question, here are two more quotes: Harris: Due diligence is the act of gathering the necessary information so the best decision-making activities can take place. Due care pertains to acting responsibly and “doing the right thing.” It is a legal term that defines the standards of performance that can be expected, Conrad: Whereas due care intends to set a minimum necessary standard of care to be employed by an organization , due diligence requires that an organization continually scrutinize their own practices to ensure that they are always meeting or exceeding the requirements for protection of assets and stakeholders. Due diligence is the management of due care, and it follows a formal process. From the Harris definition, it looks like due diligence is gather information and due care involves actions and performance. From Conrad’s definition, due care is setting a standard, and due diligence involves the day to day actions. These “appear” to be saying almost the exact opposite. But based on the authority of the authors, I’m sure they are both right in some way. Can anyone help clear this up? Thank you! Yep, both are correct. Tyrone's example is good - I'll quote it for ease of reference: > Due Diligance; This is something a company does prior to buying a service i.e. check the service provider is compliant in the areas they claim to be i.e. Are ISO27001 Certified – not compliant. By this I mean, to be compliant is to follow a set of rules whereas being certified means they have been audited and certified/confirmed to be compliant. I took the approach of looking into another company for clarity. Due Care; This is something I would do for my company ensuring we follow the rules/regulations and best practices. In the same way as above, if my company was a service provider, due care is to ensure my company is compliant and certified to ISO27001 standards. To give another example, say you work for a huge clinical group that wants to buy / take over a small radiology practice. Before you sign the contract, you should perform due diligence on the radiology practice, i.e. check whether it is being run properly, all its contracts with suppliers, customers, the landlord, are in order, there are no lawsuits against it, etc. This is how it is an "act of gathering the necessary information". The huge clinical group has to exercise "due care" in buying / take over process. Another term that you may have seen before that is used instead of due care is "reasonable care". How do you exercise "due care" in buying a company? One of the requirements is to perform due diligence on the company, find out whether it's being run properly, whether everything is in order. Can you see now how "due care" is a standard that requires a person to do certain things?I think adigri example is the closest one! Due care is doing what a reasonable person would do in a given situation. It is sometimes called the “prudent man” rule. The term is derived from “duty of care”; for example, parents have a duty to care for their children. Due diligence is the management of due care. Due care and due diligence are often confused; they are related, but there is a difference between them. Due care is informal, while due diligence follows a process. Think of due diligence as a step beyond due care. For example, expecting your staff to keep their systems patched means that you expect them to exercise due care while verifying that your staff has patched their systems is an example of due diligence. due care is do what is needed to be done, while due diligence is more than what is needed, i.e; extra efforts to ensure due care is effective. Is it fair to write that Due Care manages Due Diligence? My understanding is this way: Due Care comes before Due Diligence. How can you diligently implement a governance framework, patch a system, enforce a policy, if you do not care enough to know about your organizational needs for governance, to understand the patches required and how it might affect a system, or have a policy that addresses a particular matter to begin with? Due care precedes due diligence.