One of the most common questions I get is:
"Luke, can you please explain the difference between due care and diligence with real-world examples?"
Yes, please see below.
Due Care & Diligence Concepts
Due care is about correcting something immediately. The first letter of the two words even help to remember this, DC = do correct.
Due diligence takes longer than just fixing something immediately, it is more the investigation as to why that something had to be corrected in the first place. It is about detecting the reason behind either an incident, event, or breach etc. etc. The first two letters help to remember this, DD, do detect.
Due care is a way to implement something right away in order to perform mitigation procedures.
Due diligence is making sure the right thing was done correctly, and if it is necessary to do it again or if further research is required.
Due care is doing the right thing, the prudent man rule.
Due diligence is making sure the steps to do the right thing are correct and within risk parameters, the experienced man rule.
In order to perform due care, the organization must first perform due diligence. Due diligence comes before due care and is a management process used to gather facts before making a decision.
The implementation of controls is due care, and verification of those controls being implemented is due diligence.
Due diligence is knowing and due care is doing.
Due care is an action which should most likely be taken, due diligence can be an action that may not be necessary but is the best thing to do for long-term goals.
The word "care" is a shorter word than "diligence", so due care is the short-term action, and due diligence is the long-term action.
Due care (bottom to top) starts from the bottom of security governance like security operations, and due diligence starts from the top (top to bottom) like senior management
Real-World Examples
Using a condom is due care, taking the steps to decide whether to use the condom is due diligence.
Issuing policies, standards, baselines, and procedures are part of due diligence. Applying these types of documents is due care.
Installing patches to mitigate the latest CVE is due care, understanding the reason for the CVE and making sure it has been fully understood is due diligence.
Performing an annual security audit is due diligence, but taking the corrective action from the results of an audit is due care.
Monitoring the network for malicious activity is due care, while implementing a policy from senior management for such activity is due diligence.
Due care is making sure you provide security training and practice sound security practices at your company. Examples of which include putting up posters that say you must lock your computer, or making sure employees know where to find documents for proper security procedures, or locking your drawers. Due diligence is setting up the proper framework, like ISO 27001 and having audits to make sure all those little steps you're making sure to do in due care, is done properly. Due diligence is the broader form of due care.
Due care is bringing back online a web server which went down in the middle of business hours. Due diligence is finding out why the web server went down and making sure controls are put into place to make sure it doesn't happen again in the same manner.
An outdated BYOD policy is a violation of due diligence, encrypting devices which belong to the employee holding company information is due care.
Conducting a penetration test is due diligence, and implementing the controls to mitigate the risks found as a result is due care.
Research of the network security infrastructure of your organization is due diligence, while installing and configuring firewalls, routers, servers, switches, and access points is due care.
When engaging with third-party vendors or suppliers, researching and understanding legal responsibilities, formulation of integrating two environments, conducting SLA negotiations, or ensuring a transition of power, is due diligence. Executing the engagement with the third-party vendor or supplier is due care.
Installing anti-virus software before deploying a device is due care, ensuring anti-virus software is up-to-date and monitoring in real-time is due diligence.
Configuring an IPSec VPN, access-control list, network address translation policies on a firewall is due care. A proper change management process to track and account for those changes is due diligence.
Putting up sandbags in preparation for a hurricane is due care. Tracking the weather and seeing the trajectory of a hurricane would be due diligence.
Visiting a doctor when you're sick and taking medication is due care. Maintaining a healthy eating habit and a proper exercise regimen is due diligence.
Studying your CISSP books, study resources, taking over 5,000 practice questions, reading NIST documents, watching videos, reading as much as you can about the CISSP Common Body of Knowledge, or becoming a member of this site, is practice proper due diligence. Taking your CISSP exam is due care, whether you pass it or not.
Cheers.