Stop Getting Due Diligence and Due Care Mixed Up

Share this

Due Diligence or Due Care

Spider-Man Double Identity meme
Spider-Man cartoon, “Double Identity”
ABC/Marvel; edited by Sage Knows IT

One of the toughest things when studying for the Certified Information Systems Security Professional (CISSP) test is understanding the concept of Due Diligence and Due Care.  It should be an easy concept to understand, right? One deals with doing the right thing from an administrative perspective, like setting guidelines to prevent others from sending unencrypted emails with sensitive information outside the organization, while the other deals with the action you take to prevent those emails from getting out.

At times, I feel like that famous Spider-Man .GIF of the twins pointing at each other and it hurts my head.  It’s imperative that I get this right, but it is equally important to understand why I keep getting it wrong.

Why I Get Due Diligence and Due Care Mixed Up?

Since root cause is my thing, I decided to explore the reasons why I understand which goes with which one moment and the next, it’s out the window.  If I’m being honest with myself, I’d have to admit that I overthink nearly everything, especially when being tested.

Not a great quality, I know but I always feel when I take tests, the questions are out to get me.  Everything is considered a trick question and the most obvious answer couldn’t be it. A lot of that stems from my childhood and the way teachers would quiz us.  

The confusion of Due Diligence and Due Care

Two sets of answers were identical to each other and close enough to the answer while two other questions were nearly identical and clearly wrong.  When I used the process of elimination on the latter two, I would find myself conflicted. Sorting through my working knowledge, I would select what I perceived to be the most plausible answer and move on to the next question.

Once the test was completed, I would double check my answers and commit the cardinal sin of test taking.  Yes, you guessed it, I’d persuade myself to change the answer because my mind kept circling around it. When the test was graded and returned, I would kick myself.  Should have never switched answers.

Going forward, I needed to figure out the best way for me to not get it wrong again.  The easiest way to remember, I find, is by assigning a keyword to each.

What Is Due Diligence (DD)?

The keyword for DD is aDministrative.  When I think of the word administrative, it becomes synonymous with paperwork and Human Resources in my mind.  DD is simply the pre-work you do before implementing reasonable controls like: understanding of rules, laws, regulations and industry best practices.

Quick Tip:  Before running, you normally would do a few things, right?  Check the weather, due stretches and get a bottle of water. Why?  Because this is the prep work to ensure that you are running in optimal and safe conditions, you won’t pull a muscle or pass out.   

And What Is Due Care (DC)?

The keyword for DC is aCtion.  Did you see what I did there?  The important thing to remember is that DC is the “action” you take in response to DD in an effort to do the right thing.  Case in point, adjusting technology controls like firewalls, deploying content management filters and training your employees to report suspicious activity and emails to IT or management  are all actions you would take to improve your IT Infrastructure.


Pro Tip:  DC is always after DD.  In our running example in the previous section, DC would be drinking the water to stay hydrated and staying on the sidewalk to avoid vehicles from hitting you.  It is the action you take in relation to the DD.


How to Get It Right: Can I Get A T-Chart?

Aside from studying, I know I have to figure out a way to get this right.  I think the key is understanding the best way of learning and applying that concept.  If you are unsure of your learning style, I would recommend taking a quick assessment at How To Study.

For me, I am both an Auditory and Visual learner meaning I best learn when things are presented verbally or visually through demonstrations.  I also like Charts. I put this chart together to help in my understanding. For a printable version, please go here.

Why Are These Terms Important?

During my studies, I commonly found that it was often overlooked as to why these terms were so important.  Sure, it will show up on the test and it’s important to grasp the concepts but what exactly are the real world implications.

I have found like many things in my professional life, these terms are linked to something legal (can never escape it.)  Both DD and DC are measurements of an organization’s legal liability in the event things go awry. It is often asked, if the organization in question did everything prudently possible to prevent a negative action or behavior from occurring like a data breach.  You will often hear the term negligence floating around, so I will take a few lines to explain that.

Negligence is when you willingly fail to apply controls to a hazard or knowingly ignore your responsibilities (also known as culpability) or obligations for personal benefit.  In most cases, this misconduct is driven by a financial benefit, laziness or lack of awareness. Now there are some grey areas here.  

Typically, legal counsel will support its case (both from a defense and prosecution stance) on whether the officers, owners, directors and/or managers expressed Due Diligence and Due Care leading up to the events. If it is determined that they did everything reasonably possible to prevent the misconduct including notifying the chain of command, following industry best practices and setting up reasonable safeguards, it will look favorably on the company’s defense.  

Consequently, if it is determined that they willingly ignored concerns raised by others (like IT), made the decision to ignore because there was no financial benefit to it or felt the need that they were not in the business of securing their own infrastructure, well, they may be looking for another job pretty soon.

More than a few lines, I know.  Sometimes the overlooked items can make the difference in knowledge.  It is also worth noting that just because you did all the right things as an organization doesn’t mean you are off the hook, but it could possibly be the difference between paying thousands of dollars or millions.

I sincerely hope that this has helped.  How do you keep Due Diligence and Due Care?


Quick Disclaimer

Now as a disclaimer,  I’m not a lawyer and examples provided above on negligence is my working knowledge based on my professional and educational experiences.  Legal advice should be sought out by a licensed professional.  

Drawing on over two decades of experience in the Information Technology industry, I have acquired a diverse range of roles that have shaped my distinctive outlook. Through this journey, I have developed into an accomplished authority in risk management, catering to Fortune 500 companies and small businesses on a global scale. Over the past 12 years, my primary focus has centered on empowering small business owners and insurance professionals to comprehend the ramifications of cyber incidents and effectively mitigate the risks associated with potential data breaches. My passion for cybersecurity has inspired me to create the Sage Knows IT blog. Through this platform, I aim to help small business owners and aspiring IT professionals understand the roadmap of the IT industry based on my experiences. Information Technology and Information Security are crucial for our future, and I hope my blog will motivate those who are interested in joining this ever-evolving field.

Related Posts

Maximizing Email Security: Understanding the Importance of DKIM, SPF, and DMARC

Email is a crucial part of our daily lives, but unfortunately, it’s also a popular target for cybercriminals who use various tactics like spam, phishing, and spoofing to scam people. The FTC recently issued a warning to users of MetaMask and PayPal about phishing scams that are currently circulating through fake emails. The scam claims that the user’s cryptocurrency wallet has been blocked and encourages them to click a link and update their wallet to prevent the loss of their crypto. To protect email users from these threats, authentication protocols like DKIM, SPF, and DMARC are strongly recommended.

Top 10 Cybersecurity Job Sites

Top 10 Job Sites for Cybersecurity Professionals

As the world continues to rely heavily on technology, the demand for cybersecurity professionals continues to grow. Cybersecurity jobs offer high salaries, job security, and a wide range of career options. However, finding the right job can be challenging.

Investigating the FAA Outage: Separating Fact from Fiction

On January 11th, the Federal Aviation Administration (FAA) experienced a nationwide outage that caused widespread delays and cancellations for flights across the United States. The outage was caused by a problem with the FAA’s NOTAM (Notice To Air Mission) system.

NOTAMs are messages issued by the FAA to provide pilots with important information about flight restrictions, hazards, and other critical information. The NOTAM system is a critical component of the FAA’s air traffic control infrastructure, and the outage caused a ripple effect throughout the entire aviation system.

Failing Exams: How to Turn Failure into an Opportunity for Growth

One of the most valuable lessons I have learned is that failing an exam is not the end of the world. In fact, it can be a crucial step in the learning process. When we fail, it forces us to take a step back and assess what went wrong.

What Is Symmetric Encryption? [VIDEO]

Symmetric Encryption is an algorithm that uses the same secret key to both encrypt and decrypt plaintext into ciphertext….

CIA Triad 2022

Understanding the CIA Triad in 2022

A question I commonly see when individuals are trying to break into the Cybersecurity industry is: What do I need to understand to be successful and make…