Due Care vs. Due Diligence and the CISSP

Due Care vs. Due Diligence and the CISSP

Due care and due diligence are two terms that are not interchangeable, but are equally important to be mindful of. For instance, anyone wanting to take responsibility for their mortgage will take the time to ensure that they fully understand the ins and outs of their mortgage – in other words, to do what is expected as a result of the nature of their mortgage – before fully committing to it. That’s due care. Due diligence is all about ensuring you fully understand the terms of your contract before you sign it.

How, then, do each of these terms fully apply to the world of information security? Why are these two terms so very vital to this growing field?

Due Care – “Looking Before You Leap”

Effectively, the notion of due care as far as information security goes is something of a double-edged sword. You either wait for regulators and government officials to come out with standards that you need to follow in order to ensure that your organization is truly secure, or you take a more proactive approach. There have been countless organizations and agencies that have waited until the government has stepped in – or until their security has been compromised – before they have taken appropriate measures to ensure their security has been improved.

However, if one was to follow a standard of due care in order to ensure that their information security is not compromised, a certain level of proactivity is necessary. The creation of a culture of security is a priority, across all levels of any organization, in order to protect the organization’s brand – their mark on the world. If the brand becomes associated with a notion that security is not a priority, then organizations have (Read more...)