+ Reply to Thread
Results 1 to 20 of 20
  1. Security Tinkerer
    Join Date
    Sep 2004
    Location
    I'm conviced, we all live in the Matrix.
    Posts
    1,228

    Certifications
    CISSP,,CCSP,CNSS-4013+4011,MCT MCSA2K3,CWNA MCSE2K3:Sec LPT ECSA CEH CHFI,CCNA CS-CFW, CCIE-Sec/Written, etc..
    #1

    Default Describe the main differences in due dilligence and due care

    Describe the main differences in due dilligence and due care.
    Reply With Quote Quote  

  2. SS -->
  3. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,616
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #2
    Oh, I hate these two. It's like describing the difference between "jealously" and "envy." Kinda the same thing but not exactly. Here goes:

    Due diligence is performing reasonable examination and research before committing to a course of action. Basically, "look before you leap." In law, you would perform due diligence by researching the terms of a contract before signing it. The opposite of due diligence might be "haphazard" or "not doing your homework."

    Due care is performing the ongoing maintenance necessary to keep something in proper working order, or to abide by what is commonly expected in a situation. This is especially important if the due care situation exists because of a contract, regulation, or law. The opposite of due care is "negligence."
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  4. Where's Waldo Finalist
    Join Date
    Aug 2004
    Posts
    641

    Certifications
    I used to care what this said.
    #3

    Default diligence vs care

    Due Diligence – Identifying threats and risks

    Due Care – Acting upon findings to mitigate risks
    Reply With Quote Quote  

  5. Security Tinkerer
    Join Date
    Sep 2004
    Location
    I'm conviced, we all live in the Matrix.
    Posts
    1,228

    Certifications
    CISSP,,CCSP,CNSS-4013+4011,MCT MCSA2K3,CWNA MCSE2K3:Sec LPT ECSA CEH CHFI,CCNA CS-CFW, CCIE-Sec/Written, etc..
    #4
    Quote Originally Posted by jdmurray
    Oh, I hate these two. It's like describing the difference between "jealously" and "envy." Kinda the same thing but not exactly."
    You are exactly right JD and sadly, this is one of those that confuse people the most. The differences are like you pointed out, very marginal. To date I've served as an expert witness on about 6 court cases, and these terms are thrown around a lot.
    Reply With Quote Quote  

  6. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,616
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #5
    In law, "care" seems to be with respect to a person's actions, while "diligence" seems to be in regards to following a process. The term "due" is a synonym for "reasonable," and in both cases you are trying to determine if negligence has occurred. Very subjective.

    If the CBK doesn't use the same definitions for these terms as the judicial system does, then I can see a lot of confusion in court cases resulting from the use of terms with incompatible definitions.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  7. Security Tinkerer
    Join Date
    Sep 2004
    Location
    I'm conviced, we all live in the Matrix.
    Posts
    1,228

    Certifications
    CISSP,,CCSP,CNSS-4013+4011,MCT MCSA2K3,CWNA MCSE2K3:Sec LPT ECSA CEH CHFI,CCNA CS-CFW, CCIE-Sec/Written, etc..
    #6
    Quote Originally Posted by jdmurray
    In law, "care" seems to be with respect to a person's actions, while "diligence" seems to be in regards to following a process. The term "due" is a synonym for "reasonable," and in both cases you are trying to determine if negligence has occurred. Very subjective.

    If the CBK doesn't use the same definitions for these terms as the judicial system does, then I can see a lot of confusion in court cases resulting from the use of terms with incompatible definitions.
    In court the terms are thrown around for various reasons. And often times attorneys use them improperly...even on purpose occassionally. There's probably not as much confusion as you might think.
    Reply With Quote Quote  

  8. Security Tinkerer
    Join Date
    Sep 2004
    Location
    I'm conviced, we all live in the Matrix.
    Posts
    1,228

    Certifications
    CISSP,,CCSP,CNSS-4013+4011,MCT MCSA2K3,CWNA MCSE2K3:Sec LPT ECSA CEH CHFI,CCNA CS-CFW, CCIE-Sec/Written, etc..
    #7
    Here's a follow up to this question. I decided to point out some characteristics of due care and then some of due dilligence.

    Due Care
    Taking responsibility for security
    Demonstrating that responsibility is taken
    Planning for threats and vulnerabilities
    Documenting the processes

    Due Diligence
    Implementing controls
    Ensuring controls are monitored and updated
    Having a team that assesses all threats and evaluates loss
    Reviewing adequacy of threat analysis
    Ongoing risk assessment and documentation
    Reply With Quote Quote  

  9. Member
    Join Date
    Jun 2013
    Posts
    37
    #8
    JD, would you say a main difference between these two terms if that "due diligence" deals more in thought and "due care" more in action?

    I just re-read these terms in Conrad and for at least a second time on this topic felt perplexed. He gives an example of expecting your I.T. staff to patch their systems being a form of "due care" and your verifying that they did this "due diligence." From his example, like yours, it seems like "due care" describes some thoughts we would expect someone to have...like your Sys Admin's thinking about patching their systems to mitigate potential risks to them...And due diligence would be more your taking some action steps to verify your staff did what you would expect them to do based on that "responsible" (security-aware) mentality.

    Also, how would "gross negligence" come into play. For example, say that you had done all the right research from a security standpoint but then acted against them, for one reason or another (e.g., you were rushed on work and just acted on impulse, or whatever): is that an example of "gross negligence" because ultimately, in action, you didn't do what you were supposed to do from a security standpoint?

    Thanks,

    Dovid
    Last edited by Chassidic1; 06-26-2013 at 09:01 PM.
    Reply With Quote Quote  

  10. Paper cranes for everyone the_hutch's Avatar
    Join Date
    Dec 2011
    Location
    We all live in a yellow submarine...
    Posts
    804

    Certifications
    BSIT (CNSS 4011, 4012) / Sec+, Net+, CFOI, CEH, ECSA, CHFI, CNDA, CISSP, OSCP
    #9
    Keep studying your notes and you will understand the difference in due time...

    See what I did there ^^^. Yup...I amuse myself. ***Walks off chuckling***
    Reply With Quote Quote  

  11. Senior Member dmoore44's Avatar
    Join Date
    Sep 2010
    Location
    DFW
    Posts
    628

    Certifications
    Security+, CISSP, CEH
    #10
    Quote Originally Posted by the_hutch View Post
    Keep studying your notes and you will understand the difference in due time...

    See what I did there ^^^. Yup...I amuse myself. ***Walks off chuckling***
    Yuk yuk yuk.
    Enrolled
    Carnegie Mellon University MSIT: Information Security & Assurance

    Currently Reading

    School Books
    Reply With Quote Quote  

  12. Senior Member dmoore44's Avatar
    Join Date
    Sep 2010
    Location
    DFW
    Posts
    628

    Certifications
    Security+, CISSP, CEH
    #11
    Quote Originally Posted by Chassidic1 View Post
    JD, would you say a main difference between these two terms if that "due diligence" deals more in thought and "due care" more in action?
    Even though I'm not JD, I would say that this is probably the best way of remembering the difference. Personally, I would modify your statement slightly to this:

    Due Diligence: Performing the necessary research
    Due Care: Performing the actions identified as necessary from due diligence
    Enrolled
    Carnegie Mellon University MSIT: Information Security & Assurance

    Currently Reading

    School Books
    Reply With Quote Quote  

  13. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,616
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #12
    Quote Originally Posted by dmoore44 View Post
    Due Diligence: Performing the necessary research
    Due Care: Performing the actions identified as necessary from due diligence
    I would not say that due care is always derived from an action(s) of due diligence. There are many common, mundane acts of due care that require no a priori due diligence to determine or prove that they are necessary. They are considered self-evidence or simply common sense. Each one of these concepts does not necessarily lead to or from the other.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  14. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #13
    @JDMurry. I thought you would get a kick out of this. Someone in my online class used your first post in this thread as a reference.



    Reply With Quote Quote  

  15. Senior Member
    Join Date
    May 2007
    Posts
    430

    Certifications
    CISSP, GCIA
    #14
    That's awesome, haha.
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Oct 2013
    Location
    Washington DC
    Posts
    498

    Certifications
    OSCP, eMAPT, eWPT, CISSP, GPEN, GWAPT, GCIH, GCIA, GSEC, CEH, CNDA, ECSA, CHFI, Sec+, Net+
    #15
    lol...more reliable that citing wikipedia. I opened this thread, about to ask "who is the b*stard that necrovived this old thread"...but this was worth it.
    Reply With Quote Quote  

  17. Sine Metu jvrlopez's Avatar
    Join Date
    Jul 2013
    Posts
    887

    Certifications
    CISSP, CCNA, CEH v7, Sec+, Net+, LPI Linux Essentials
    #16
    Hah, that's awesome! Wonder if that's the format for citing authors by screen name or he just got lucky that JD's handle is pretty similar to a name.
    Reply With Quote Quote  

  18. Senior Member --chris--'s Avatar
    Join Date
    Jul 2013
    Location
    Metro Detroit
    Posts
    1,401

    Certifications
    ITIL F, C|EH
    #17
    Quote Originally Posted by jvrlopez View Post
    Hah, that's awesome! Wonder if that's the format for citing authors by screen name or he just got lucky that JD's handle is pretty similar to a name.
    I am 95% certain the person "wung" it and fudged the correct citation method a bit lol. Our instructor has been very clear that sources are to be reliable. Not saying this forum provides unreliable info, but for a graded college paper...I wouldn't cite from here.


    Reply With Quote Quote  

  19. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,616
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #18
    A public forum is "opinion" only, so as long as the reference makes it clear that it is referring to a posting in a public forum it's a proper reference.

    And that reference does have my proper name. Check my LinkedIn page in my sig.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  20. Member
    Join Date
    Jan 2017
    Posts
    34
    #19

    Default DC vs DD

    My impression is that the appropriate 'research' and 'homework' that is done before taking action is Due Diligence. I can picture my boss telling me we need to purchase a server and I need to make a recommendation. At a later date date I tell him I looked into all the different types and I have decided on Server XYZ. He could then ask, "Did you do your due diligence"?

    It's almost like a soft skill...

    Due care to me is more like a repeatable process that has 'procedural actions' and failure to do them correctly is much more serious and you could be liable. Chain of custody comes to mind..

    For what its worth the following is taken from ANS LTDD 1.0 2015:
    Due diligence is a legal performance standard – financial due diligenceand environmental before completing a transaction (merger or purchase)

    So in my mind, prior to committing to performing an action, you would do your due diligence. It is what you have done in the past to ensure sound decision making.
    Reply With Quote Quote  

  21. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,616
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #20
    I usually tell my students:

    Due diligence = "Doing your research before committing to a course of action."
    Due care = "Performing processes and procedures as required by both explicit and implicit policies."


    Wow Sirkassad, you sure love yanking up these old threads!
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks