Describe the main differences in due dilligence and due care

keatron

Describe the main differences in due dilligence and due care.

JDMurray

Oh, I hate these two. It's like describing the difference between "jealously" and "envy." Kinda the same thing but not exactly. Here goes:

Due diligence is performing reasonable examination and research before committing to a course of action. Basically, "look before you leap." In law, you would perform due diligence by researching the terms of a contract before signing it. The opposite of due diligence might be "haphazard" or "not doing your homework."

Due care is performing the ongoing maintenance necessary to keep something in proper working order, or to abide by what is commonly expected in a situation. This is especially important if the due care situation exists because of a contract, regulation, or law. The opposite of due care is "negligence."

seuss_ssues

Due Diligence – Identifying threats and risks

Due Care – Acting upon findings to mitigate risks

keatron

jdmurray wrote:

Oh, I hate these two. It's like describing the difference between "jealously" and "envy." Kinda the same thing but not exactly."

You are exactly right JD and sadly, this is one of those that confuse people the most. The differences are like you pointed out, very marginal. To date I've served as an expert witness on about 6 court cases, and these terms are thrown around a lot.

JDMurray

In law, "care" seems to be with respect to a person's actions, while "diligence" seems to be in regards to following a process. The term "due" is a synonym for "reasonable," and in both cases you are trying to determine if negligence has occurred. Very subjective.

If the CBK doesn't use the same definitions for these terms as the judicial system does, then I can see a lot of confusion in court cases resulting from the use of terms with incompatible definitions.

keatron

jdmurray wrote:

In law, "care" seems to be with respect to a person's actions, while "diligence" seems to be in regards to following a process. The term "due" is a synonym for "reasonable," and in both cases you are trying to determine if negligence has occurred. Very subjective.

If the CBK doesn't use the same definitions for these terms as the judicial system does, then I can see a lot of confusion in court cases resulting from the use of terms with incompatible definitions.

In court the terms are thrown around for various reasons. And often times attorneys use them improperly...even on purpose occassionally. There's probably not as much confusion as you might think.

keatron

Here's a follow up to this question. I decided to point out some characteristics of due care and then some of due dilligence.

Due Care
Taking responsibility for security
Demonstrating that responsibility is taken
Planning for threats and vulnerabilities
Documenting the processes

Due Diligence
Implementing controls
Ensuring controls are monitored and updated
Having a team that assesses all threats and evaluates loss
Reviewing adequacy of threat analysis
Ongoing risk assessment and documentation

Chassidic1

JD, would you say a main difference between these two terms if that "due diligence" deals more in thought and "due care" more in action?

I just re-read these terms in Conrad and for at least a second time on this topic felt perplexed. He gives an example of expecting your I.T. staff to patch their systems being a form of "due care" and your verifying that they did this "due diligence." From his example, like yours, it seems like "due care" describes some thoughts we would expect someone to have...like your Sys Admin's thinking about patching their systems to mitigate potential risks to them...And due diligence would be more your taking some action steps to verify your staff did what you would expect them to do based on that "responsible" (security-aware) mentality.

Also, how would "gross negligence" come into play. For example, say that you had done all the right research from a security standpoint but then acted against them, for one reason or another (e.g., you were rushed on work and just acted on impulse, or whatever): is that an example of "gross negligence" because ultimately, in action, you didn't do what you were supposed to do from a security standpoint?

Thanks,

Dovid

the_hutch

Keep studying your notes and you will understand the difference in due time...

See what I did there ^^^. Yup...I amuse myself. ***Walks off chuckling***

dmoore44

the_hutch wrote: »

Keep studying your notes and you will understand the difference in due time...

See what I did there ^^^. Yup...I amuse myself. ***Walks off chuckling***

Yuk yuk yuk.

dmoore44

Chassidic1 wrote: »

JD, would you say a main difference between these two terms if that "due diligence" deals more in thought and "due care" more in action?

Even though I'm not JD, I would say that this is probably the best way of remembering the difference. Personally, I would modify your statement slightly to this:

Due Diligence: Performing the necessary research
Due Care: Performing the actions identified as necessary from due diligence

JDMurray

dmoore44 wrote: »

Due Diligence: Performing the necessary research
Due Care: Performing the actions identified as necessary from due diligence

I would not say that due care is always derived from an action(s) of due diligence. There are many common, mundane acts of due care that require no a priori due diligence to determine or prove that they are necessary. They are considered self-evidence or simply common sense. Each one of these concepts does not necessarily lead to or from the other.

--chris--

@JDMurry. I thought you would get a kick out of this. Someone in my online class used your first post in this thread as a reference.

cgrimaldo

That's awesome, haha.

NovaHax

lol...more reliable that citing wikipedia. I opened this thread, about to ask "who is the b*stard that necrovived this old thread"...but this was worth it.

jvrlopez

Hah, that's awesome! Wonder if that's the format for citing authors by screen name or he just got lucky that JD's handle is pretty similar to a name.

--chris--

jvrlopez wrote: »

Hah, that's awesome! Wonder if that's the format for citing authors by screen name or he just got lucky that JD's handle is pretty similar to a name.

I am 95% certain the person "wung" it and fudged the correct citation method a bit lol. Our instructor has been very clear that sources are to be reliable. Not saying this forum provides unreliable info, but for a graded college paper...I wouldn't cite from here.

JDMurray

A public forum is "opinion" only, so as long as the reference makes it clear that it is referring to a posting in a public forum it's a proper reference.

And that reference does have my proper name. Check my LinkedIn page in my sig.

Sirkassad

My impression is that the appropriate 'research' and 'homework' that is done before taking action is Due Diligence. I can picture my boss telling me we need to purchase a server and I need to make a recommendation. At a later date date I tell him I looked into all the different types and I have decided on Server XYZ. He could then ask, "Did you do your due diligence"?

It's almost like a soft skill...

Due care to me is more like a repeatable process that has 'procedural actions' and failure to do them correctly is much more serious and you could be liable. Chain of custody comes to mind..

For what its worth the following is taken from ANS LTDD 1.0 2015:
Due diligence is a legal performance standard – financial due diligenceand environmental before completing a transaction (merger or purchase)

So in my mind, prior to committing to performing an action, you would do your due diligence. It is what you have done in the past to ensure sound decision making.

JDMurray

I usually tell my students:

Due diligence = "Doing your research before committing to a course of action."
Due care = "Performing processes and procedures as required by both explicit and implicit policies."


Wow Sirkassad, you sure love yanking up these old threads!