Describe the main differences in due dilligence and due care

keatronkeatron Posts: 1,206Member ■■■■■□□□□□
Describe the main differences in due dilligence and due care.

Comments

  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,026Admin Admin
    Oh, I hate these two. It's like describing the difference between "jealously" and "envy." Kinda the same thing but not exactly. Here goes:

    Due diligence is performing reasonable examination and research before committing to a course of action. Basically, "look before you leap." In law, you would perform due diligence by researching the terms of a contract before signing it. The opposite of due diligence might be "haphazard" or "not doing your homework."

    Due care is performing the ongoing maintenance necessary to keep something in proper working order, or to abide by what is commonly expected in a situation. This is especially important if the due care situation exists because of a contract, regulation, or law. The opposite of due care is "negligence."
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
  • seuss_ssuesseuss_ssues Posts: 629Member
    Due Diligence – Identifying threats and risks

    Due Care – Acting upon findings to mitigate risks
  • keatronkeatron Posts: 1,206Member ■■■■■□□□□□
    JDMurray wrote:
    Oh, I hate these two. It's like describing the difference between "jealously" and "envy." Kinda the same thing but not exactly."

    You are exactly right JD and sadly, this is one of those that confuse people the most. The differences are like you pointed out, very marginal. To date I've served as an expert witness on about 6 court cases, and these terms are thrown around a lot.
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,026Admin Admin
    In law, "care" seems to be with respect to a person's actions, while "diligence" seems to be in regards to following a process. The term "due" is a synonym for "reasonable," and in both cases you are trying to determine if negligence has occurred. Very subjective.

    If the CBK doesn't use the same definitions for these terms as the judicial system does, then I can see a lot of confusion in court cases resulting from the use of terms with incompatible definitions.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
  • keatronkeatron Posts: 1,206Member ■■■■■□□□□□
    JDMurray wrote:
    In law, "care" seems to be with respect to a person's actions, while "diligence" seems to be in regards to following a process. The term "due" is a synonym for "reasonable," and in both cases you are trying to determine if negligence has occurred. Very subjective.

    If the CBK doesn't use the same definitions for these terms as the judicial system does, then I can see a lot of confusion in court cases resulting from the use of terms with incompatible definitions.

    In court the terms are thrown around for various reasons. And often times attorneys use them improperly...even on purpose occassionally. icon_wink.gif There's probably not as much confusion as you might think.
  • keatronkeatron Posts: 1,206Member ■■■■■□□□□□
    Here's a follow up to this question. I decided to point out some characteristics of due care and then some of due dilligence.

    Due Care
    Taking responsibility for security
    Demonstrating that responsibility is taken
    Planning for threats and vulnerabilities
    Documenting the processes

    Due Diligence
    Implementing controls
    Ensuring controls are monitored and updated
    Having a team that assesses all threats and evaluates loss
    Reviewing adequacy of threat analysis
    Ongoing risk assessment and documentation
  • Chassidic1Chassidic1 Posts: 37Member ■■□□□□□□□□
    JD, would you say a main difference between these two terms if that "due diligence" deals more in thought and "due care" more in action?

    I just re-read these terms in Conrad and for at least a second time on this topic felt perplexed. He gives an example of expecting your I.T. staff to patch their systems being a form of "due care" and your verifying that they did this "due diligence." From his example, like yours, it seems like "due care" describes some thoughts we would expect someone to have...like your Sys Admin's thinking about patching their systems to mitigate potential risks to them...And due diligence would be more your taking some action steps to verify your staff did what you would expect them to do based on that "responsible" (security-aware) mentality.

    Also, how would "gross negligence" come into play. For example, say that you had done all the right research from a security standpoint but then acted against them, for one reason or another (e.g., you were rushed on work and just acted on impulse, or whatever): is that an example of "gross negligence" because ultimately, in action, you didn't do what you were supposed to do from a security standpoint?

    Thanks,

    Dovid
  • the_hutchthe_hutch Posts: 827Banned
    Keep studying your notes and you will understand the difference in due time...

    See what I did there ^^^. Yup...I amuse myself. ***Walks off chuckling*** icon_lol.gif
    Justin Hutchens
    www.linkedin.com/in/justinhutchens
    http://www.youtube.com/drstarskymrhutch - BackTrack / Kali-Linux Tutorials - CHECK EM OUT AND SUBSCRIBE!!! :thumbup:
  • dmoore44dmoore44 Posts: 646Member
    the_hutch wrote: »
    Keep studying your notes and you will understand the difference in due time...

    See what I did there ^^^. Yup...I amuse myself. ***Walks off chuckling*** icon_lol.gif

    Yuk yuk yuk.
    Graduated Carnegie Mellon University MSIT: Information Security & Assurance Currently Reading Books on TensorFlow
  • dmoore44dmoore44 Posts: 646Member
    Chassidic1 wrote: »
    JD, would you say a main difference between these two terms if that "due diligence" deals more in thought and "due care" more in action?

    Even though I'm not JD, I would say that this is probably the best way of remembering the difference. Personally, I would modify your statement slightly to this:

    Due Diligence: Performing the necessary research
    Due Care: Performing the actions identified as necessary from due diligence
    Graduated Carnegie Mellon University MSIT: Information Security & Assurance Currently Reading Books on TensorFlow
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,026Admin Admin
    dmoore44 wrote: »
    Due Diligence: Performing the necessary research
    Due Care: Performing the actions identified as necessary from due diligence
    I would not say that due care is always derived from an action(s) of due diligence. There are many common, mundane acts of due care that require no a priori due diligence to determine or prove that they are necessary. They are considered self-evidence or simply common sense. Each one of these concepts does not necessarily lead to or from the other.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
  • --chris----chris-- Posts: 1,510Member ■■■■■□□□□□
    @JDMurry. I thought you would get a kick out of this. Someone in my online class used your first post in this thread as a reference.

    2w1y5ad.jpg


  • cgrimaldocgrimaldo Posts: 439Member ■■■■□□□□□□
    That's awesome, haha.
  • NovaHaxNovaHax Posts: 502Member
    icon_lol.gif lol...more reliable that citing wikipedia. I opened this thread, about to ask "who is the b*stard that necrovived this old thread"...but this was worth it.
  • jvrlopezjvrlopez Posts: 910Member
    Hah, that's awesome! Wonder if that's the format for citing authors by screen name or he just got lucky that JD's handle is pretty similar to a name.
    And so you touch this limit, something happens and you suddenly can go a little bit further. With your mind power, your determination, your instinct, and the experience as well, you can fly very high. ~Ayrton Senna
  • --chris----chris-- Posts: 1,510Member ■■■■■□□□□□
    jvrlopez wrote: »
    Hah, that's awesome! Wonder if that's the format for citing authors by screen name or he just got lucky that JD's handle is pretty similar to a name.

    I am 95% certain the person "wung" it and fudged the correct citation method a bit lol. Our instructor has been very clear that sources are to be reliable. Not saying this forum provides unreliable info, but for a graded college paper...I wouldn't cite from here.


  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,026Admin Admin
    A public forum is "opinion" only, so as long as the reference makes it clear that it is referring to a posting in a public forum it's a proper reference.

    And that reference does have my proper name. Check my LinkedIn page in my sig.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
  • SirkassadSirkassad Posts: 32Member ■■□□□□□□□□
    My impression is that the appropriate 'research' and 'homework' that is done before taking action is Due Diligence. I can picture my boss telling me we need to purchase a server and I need to make a recommendation. At a later date date I tell him I looked into all the different types and I have decided on Server XYZ. He could then ask, "Did you do your due diligence"?

    It's almost like a soft skill...

    Due care to me is more like a repeatable process that has 'procedural actions' and failure to do them correctly is much more serious and you could be liable. Chain of custody comes to mind..

    For what its worth the following is taken from ANS LTDD 1.0 2015:
    Due diligence is a legal performance standard – financial due diligenceand environmental before completing a transaction (merger or purchase)

    So in my mind, prior to committing to performing an action, you would do your due diligence. It is what you have done in the past to ensure sound decision making.
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,026Admin Admin
    I usually tell my students:

    Due diligence = "Doing your research before committing to a course of action."
    Due care = "Performing processes and procedures as required by both explicit and implicit policies."


    Wow Sirkassad, you sure love yanking up these old threads! icon_wink.gif
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
Sign In or Register to comment.