One of the toughest things when studying for the Certified Information Systems Security Professional (CISSP) test is understanding the concept of Due Diligence and Due Care. It should be an easy concept to understand, right? One deals with doing the right thing from an administrative perspective, like setting guidelines to prevent others from sending unencrypted emails with sensitive information outside the organization, while the other deals with the action you take to prevent those emails from getting out.
At times, I feel like that famous Spider-Man .GIF of the twins pointing at each other and it hurts my head. It’s imperative that I get this right, but it is equally important to understand why I keep getting it wrong.
Why I Get Due Diligence and Due Care Mixed Up?
Since root cause is my thing, I decided to explore the reasons why I understand which goes with which one moment and the next, it’s out the window. If I’m being honest with myself, I’d have to admit that I overthink nearly everything, especially when being tested.
Not a great quality, I know but I always feel when I take tests, the questions are out to get me. Everything is considered a trick question and the most obvious answer couldn’t be it. A lot of that stems from my childhood and the way teachers would quiz us.
Two sets of answers were identical to each other and close enough to the answer while two other questions were nearly identical and clearly wrong. When I used the process of elimination on the latter two, I would find myself conflicted. Sorting through my working knowledge, I would select what I perceived to be the most plausible answer and move on to the next question.
Once the test was completed, I would double check my answers and commit the cardinal sin of test taking. Yes, you guessed it, I’d persuade myself to change the answer because my mind kept circling around it. When the test was graded and returned, I would kick myself. Should have never switched answers.
Going forward, I needed to figure out the best way for me to not get it wrong again. The easiest way to remember, I find, is by assigning a keyword to each.
What Is Due Diligence (DD)?
The keyword for DDis aDministrative. When I think of the word administrative, it becomes synonymous with paperwork and Human Resources in my mind. DD is simply the pre-work you do before implementing reasonable controls like: understanding of rules, laws, regulations and industry best practices.
Quick Tip: Before running, you normally would do a few things, right? Check the weather, due stretches and get a bottle of water. Why? Because this is the prep work to ensure that you are running in optimal and safe conditions, you won’t pull a muscle or pass out.
And What Is Due Care (DC)?
The keyword for DC is aCtion. Did you see what I did there? The important thing to remember is that DC is the “action” you take in response to DD in an effort to do the right thing. Case in point, adjusting technology controls like firewalls, deploying content management filters and training your employees to report suspicious activity and emails to IT or management are all actions you would take to improve your IT Infrastructure.
Pro Tip: DC is always after DD. In our running example in the previous section, DC would be drinking the water to stay hydrated and staying on the sidewalk to avoid vehicles from hitting you. It is the action you take in relation to the DD.
How to Get It Right: Can I Get A T-Chart?
Aside from studying, I know I have to figure out a way to get this right. I think the key is understanding the best way of learning and applying that concept. If you are unsure of your learning style, I would recommend taking a quick assessment at How To Study.
For me, I am both an Auditory and Visual learner meaning I best learn when things are presented verbally or visually through demonstrations. I also like Charts. I put this chart together to help in my understanding. For a printable version, please go here.
Why Are These Terms Important?
During my studies, I commonly found that it was often overlooked as to why these terms were so important. Sure, it will show up on the test and it’s important to grasp the concepts but what exactly are the real world implications.
I have found like many things in my professional life, these terms are linked to something legal (can never escape it.) Both DD and DC are measurements of an organization’s legal liability in the event things go awry. It is often asked, if the organization in question did everything prudently possible to prevent a negative action or behavior from occurring like a data breach. You will often hear the term negligence floating around, so I will take a few lines to explain that.
Negligence is when you willingly fail to apply controls to a hazard or knowingly ignore your responsibilities (also known as culpability) or obligations for personal benefit. In most cases, this misconduct is driven by a financial benefit, laziness or lack of awareness. Now there are some grey areas here.
Typically, legal counsel will support its case (both from a defense and prosecution stance) on whether the officers, owners, directors and/or managers expressed Due Diligence and Due Care leading up to the events. If it is determined that they did everything reasonably possible to prevent the misconduct including notifying the chain of command, following industry best practices and setting up reasonable safeguards, it will look favorably on the company’s defense.
Consequently, if it is determined that they willingly ignored concerns raised by others (like IT), made the decision to ignore because there was no financial benefit to it or felt the need that they were not in the business of securing their own infrastructure, well, they may be looking for another job pretty soon.
More than a few lines, I know. Sometimes the overlooked items can make the difference in knowledge. It is also worth noting that just because you did all the right things as an organization doesn’t mean you are off the hook, but it could possibly be the difference between paying thousands of dollars or millions.
I sincerely hope that this has helped. How do you keep Due Diligence and Due Care?
Now as a disclaimer, I’m not a lawyer and examples provided above on negligence is my working knowledge based on my professional and educational experiences. Legal advice should be sought out by a licensed professional.
For over 20 years, I have had the distinct opportunity to work in the Information Technology space under a variety of distinct roles.
My unique position has helped me become a risk management Maven for Fortune 500 and Small Business Companies around the world. For the last 12 years, I have assisted Small Business Owners and Insurance Agency understand the impacts of Cyber Incident exposures and what steps to take to help mitigate potential data breaches.
My desire to expand my reach related to cyber security has led me to establish the Sage Knows IT blog as a way to help Small Business Owners and aspiring Information Technology (I.T.) Professionals better understand the road-maps of I.T. through the experiences I have had.
Information Technology and Information Security is the future of our world and I hope this blog will inspire those that are interested in joining our ever involving field.