Due care vs. due diligence and the CISSP
This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.
Due care and due diligence are two terms that are not interchangeable but are equally important to be mindful of. For instance, anyone wanting to take responsibility for their mortgage will take the time to ensure that they fully understand the ins and outs of their mortgage — in other words, to do what is expected as a result of the nature of their mortgage — before fully committing to it. That’s due care. Due diligence is all about ensuring you fully understand the terms of your contract before you sign it.
How, then, do each of these terms fully apply to the world of information security? Why are these two terms so very vital to this growing field? CISSP certification holders are expected to know this as part of domain 1 of the CISSP exam, Security and risk management.
Earn your CISSP, guaranteed!
Due care — “Looking before you leap”
Effectively, the notion of due care as far as information security goes is something of a double-edged sword. You either wait for regulators and government officials to come out with standards that you need to follow in order to ensure that your organization is truly secure, or you take a more proactive approach. There have been countless organizations and agencies that have waited until the government has stepped in — or until their security has been compromised — before they have taken appropriate measures to ensure their security has been improved.
However, if one was to follow a standard of due care in order to ensure that their information security is not compromised, a certain level of proactivity is necessary. The creation of a culture of security is a priority, across all levels of any organization, in order to protect the organization’s brand — their mark on the world. If the brand becomes associated with a notion that security is not a priority, then organizations have to work especially hard to regain that image in their clients’ eyes.
Due care also means that there is such a thing as bad public relations. Companies don’t want to be known for their information security breaches. That’s a certain way to have their reputations be colored negatively and to lose credibility, in addition to losing that all-important client base.
What we are effectively looking at as far as due care is concerned is ongoing maintenance to ensure things are in proper order. If the due care is implemented as a result of a contract requirement, a regulation, or law, you absolutely must abide by that standard established within. The direct opposite of due care is negligence.
Due diligence: Understanding is just the beginning
Due diligence is simply a matter of understanding the ins and outs of your information security policies and procedures. However, in order to truly demonstrate due diligence when it comes to information security, businesses must focus a narrow lens on their own information security in addition to being mindful of global laws and regulations which may have an impact on their operations.
There is also the notion that businesses everywhere are trying to cut costs, which may lead to a cutback in focus on due diligence on information security. There are very few businesses that are trying to reduce overall costs lately, and as a result, there’s an increase in outsourcing which, in turn, may lead to increased risk overall. It’s critical for supervisors and board members to provide ongoing supervision to ensure the safety of information assets throughout any outsourcing efforts.
A framework for due diligence should also be made part of the quality assurance process. In doing so, businesses can then cut their potential for risk throughout their information security systems. In addition, businesses could then potentially realize savings and, because they are taking greater care with their information security processes, potentially realize further profits being made.
Put simply, the opposite of due diligence would be “not doing your homework” or simply approaching your work in a haphazard manner. Examples of this as far as CISSP goes would be not examining the terms of the framework and scope of pentesting prior to engaging in the test or going ahead to do the test without ensuring you have the proper authorization to get the job done. Not following the practices of due diligence could lead to your dismissal from a contract or worse, legal trouble because you were caught doing something you shouldn’t be doing.
Conclusion
The bottom line is, there should be communication across all departments in any organization and including the board of directors and management well before any breach occurs. Should that not happen, there could be serious repercussions: loss of valuable information and potential loss of clients due to lack of due care and diligence. Management and boards should be well aware of the policies and procedures involving due care and diligence in order to prevent any breach – and to mitigate risk if and when it should occur.
Earn your CISSP, guaranteed!
Sources
- Exam Pass Guarantee
- Live expert CISSP instruction
- CISSP exam voucher
In this Series
- Due care vs. due diligence and the CISSP
- CISSP certification - The ultimate guide [updated 2021]
- The CISSP domains and CBK: An overview
- CISSP certification salary: A comprehensive 2024 salary guide
- Definition & types of access control models & methods (updated 2023)
- CISSP domain 4: Communications and network security — What you need to know for the exam [2022 update]
- CISSP domain 5: Identity and access management — What you need to know for the exam [Updated 2022]
- CISSP domain 7: Security operations — What you need to know for the exam [Updated 2022]
- CISSP domain 6: Security assessment and testing — What you need to know for the exam [Updated 2022]
- CISSP domain 8 overview: Software development security — What you need to know for the exam [Updated 2022]
- CISSP and DoD 8570/8140: What you need to know [Updated 2022]
- Top 10 CISSP interview questions [Updated 2022]
- CISSP domain 1: Security and risk management — What you need to know for the exam
- The ISC2 code of ethics: A binding requirement for certification
- The CISSP experience waiver [updated 2022]
- Earning CPE credits to maintain the CISSP
- Renewal requirements for the CISSP [updated 2022]
- CISSP computerized adaptive testing (CAT): 25 of your questions answered
- CISSP job outlook [updated 2022]
- CISSP resources: Books, practice exams and other study tools [updated 2022]
- CISSP exam questions: 5 drag & drop and hotspot questions
- Risk management concepts and the CISSP (Part 2) [Updated 2022]
- What is the CISSP-ISSAP? Information Systems Security Architecture Professional [updated 2021]
- Average ISSEP Salary in 2021
- Average ISSMP Salary [updated 2021]
- CISSP domain 3: Security engineering CISSP - What you need to know for the exam [2022 update]
- Understanding the CISSP exam schedule: Duration, format, scheduling and scoring [updated 2021]
- What is the CISSP-ISSEP? Information Systems Security Engineering Professional [updated 2021]
- Information and asset classification in the CISSP exam
- CISSP domain 2: Asset security - What you need to know for the Exam [updated 2021]
- 8 tips for CISSP exam success [updated 2021]
- Risk management concepts and the CISSP (part 1) [updated 2021]
- Average ISSAP Salary in 2021
- What is the CISSP-ISSMP? Information Security System Management Professional [updated 2021]
- CISSP concentrations (ISSAP, ISSMP & ISSEP) [updated 2021]
- CISSP prep: Security policies, standards, procedures and guidelines
- Vulnerability and patch management in the CISSP exam
- Data security controls and the CISSP exam
- Logging and monitoring: What you need to know for the CISSP
- Data and system ownership in the CISSP exam
- CISSP Prep: Mitigating access control attacks
- CISSP Domain 5 Refresh: Identity and Access Management
- Identity Governance and Administration (IGA) in IT Infrastructure of Today
- CISSP CAT Exam Deep Dive: Study Tips from InfoSec Institute Alum Joe Wauson
- CISSP: Incident management
- CISSP: Business continuity planning and exercises
- CISSP: Perimeter defenses
- CISSP: Secure communication channels
- Environmental controls and the CISSP
- CISSP: Disaster recovery processes and plans
- Change management and the CISSP
