Due care vs. due diligence and the CISSP
This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.
Due care and due diligence are two terms that are not interchangeable but are equally important to be mindful of. For instance, anyone wanting to take responsibility for their mortgage will take the time to ensure that they fully understand the ins and outs of their mortgage — in other words, to do what is expected as a result of the nature of their mortgage — before fully committing to it. That’s due care. Due diligence is all about ensuring you fully understand the terms of your contract before you sign it.
How, then, do each of these terms fully apply to the world of information security? Why are these two terms so very vital to this growing field? CISSP certification holders are expected to know this as part of domain 1 of the CISSP exam, Security and risk management.
Due care — “Looking before you leap”
Effectively, the notion of due care as far as information security goes is something of a double-edged sword. You either wait for regulators and government officials to come out with standards that you need to follow in order to ensure that your organization is truly secure, or you take a more proactive approach. There have been countless organizations and agencies that have waited until the government has stepped in — or until their security has been compromised — before they have taken appropriate measures to ensure their security has been improved.
However, if one was to follow a standard of due care in order to ensure that their information security is not compromised, a certain level of proactivity is necessary. The creation of a culture of security is a priority, across all levels of any organization, in order to protect the organization’s brand — their mark on the world. If the brand becomes associated with a notion that security is not a priority, then organizations have to work especially hard to regain that image in their clients’ eyes.
Due care also means that there is such a thing as bad public relations. Companies don’t want to be known for their information security breaches. That’s a certain way to have their reputations be colored negatively and to lose credibility, in addition to losing that all-important client base.
What we are effectively looking at as far as due care is concerned is ongoing maintenance to ensure things are in proper order. If the due care is implemented as a result of a contract requirement, a regulation, or law, you absolutely must abide by that standard established within. The direct opposite of due care is negligence.
Due diligence: Understanding is just the beginning
Due diligence is simply a matter of understanding the ins and outs of your information security policies and procedures. However, in order to truly demonstrate due diligence when it comes to information security, businesses must focus a narrow lens on their own information security in addition to being mindful of global laws and regulations which may have an impact on their operations.
There is also the notion that businesses everywhere are trying to cut costs, which may lead to a cutback in focus on due diligence on information security. There are very few businesses that are trying to reduce overall costs lately, and as a result, there’s an increase in outsourcing which, in turn, may lead to increased risk overall. It’s critical for supervisors and board members to provide ongoing supervision to ensure the safety of information assets throughout any outsourcing efforts.
A framework for due diligence should also be made part of the quality assurance process. In doing so, businesses can then cut their potential for risk throughout their information security systems. In addition, businesses could then potentially realize savings and, because they are taking greater care with their information security processes, potentially realize further profits being made.
Put simply, the opposite of due diligence would be “not doing your homework” or simply approaching your work in a haphazard manner. Examples of this as far as CISSP goes would be not examining the terms of the framework and scope of pentesting prior to engaging in the test or going ahead to do the test without ensuring you have the proper authorization to get the job done. Not following the practices of due diligence could lead to your dismissal from a contract or worse, legal trouble because you were caught doing something you shouldn’t be doing.
The bottom line is, there should be communication across all departments in any organization and including the board of directors and management well before any breach occurs. Should that not happen, there could be serious repercussions: loss of valuable information and potential loss of clients due to lack of due care and diligence. Management and boards should be well aware of the policies and procedures involving due care and diligence in order to prevent any breach – and to mitigate risk if and when it should occur.