Due care, due diligence or neither

mnashe

I have a quick question.

If you developed a public facing website and you didn't follow secure coding practices (input validation for example), is that a lack of due care, due diligence, or neither?

scaredoftests

all depends on who you are doing the website for. I would think lack of due diligence.

mnashe

scaredoftests wrote: »

all depends on who you are doing the website for. I would think lack of due diligence.

I was trying to think of random scenarios in my head. In this case, I was looking at it as an in-house developer that works for Company A, designed an e-comm site that Company A will use for it's customers.

I was thinking it was due diligence

mattster79

Due diligence is typically associated with business leaders, laws and regulations. Due care is applicable to everyone and could be used to show negligence.

roxer

That's a good question. That's one of the questions that always has me guessing on tests.

TechGuru80

[FONT=&amp]Conrad:[/FONT]
[FONT=&amp]Whereas due care intends to set a minimum necessary standard of care to be employed by an organization , due diligence requires that an organization continually scrutinize their own practices to ensure that they are always meeting or exceeding the requirements for protection of assets and stakeholders. Due diligence is the management of due care, and it follows a formal process.[/FONT]

I have always thought of it this way...due care (a point in time) setting a standard/policy/etc., due diligence is continually updating or testing what was set.

Given the example, if you did not initially follow best practices in the development and release...you did not practice due care....if you did not continuously test your website and resolve any new vulnerabilities, then you are not practicing due diligence.

https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/security-and-risk-management/due-care-vs-due-diligence/#gref
https://www.cybrary.it/forums/topic/due-care-vs-due-diligence/

SteveLavoie

+1 for TechGuru80

cledford3

TechGuru80 wrote: »

I have always thought of it this way...due care (a point in time) setting a standard/policy/etc., due diligence is continually updating or testing what was set.

Given the example, if you did not initially follow best practices in the development and release...you did not practice due care....if you did not continuously test your website and resolve any new vulnerabilities, then you are not practicing due diligence.

https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/security-and-risk-management/due-care-vs-due-diligence/#gref
https://www.cybrary.it/forums/topic/due-care-vs-due-diligence/

As an aside - the InfoSec link was the worst explanation of either I've ever seen - not even considering the typos :-\

This topic is extraordinarily confusing - and I've have found ZERO consistency regarding either term since I've started studying. None of the major study resources seems to agree, and to me, they often are essentially the inverse of one another. I can say that BOTH terms are legal in nature and maybe there lays the true answer. A number of people claim to know the answer and state "due care means such and such" and due diligence means so and so", yet NONE provide citations - outside the CISSP study material - which, as stated, is often contradictory. The best I've been able to come up with is that possibly they both must mean different things based on different circumstances - which is not good when studying for an exam. I would LOVE to see someone cite something other than a CISSP study guide to define these terms.

Here are some of the notes I've scraped from various resources as I've attempted to run this to ground - I can't vouch for the validity. I've also searched in all of the major NIST documents (where ISC2 seems to have sourced most of their content) and can't find anything definitive.

-Calvin

"I agree about the conflicting descriptions. For CISSP purposes it seems to refer to roles. Users or Custodians seem to need to practice Due Care and Management needs to practice Due Diligence. I’m not sure where I got this but I have this in my notes:

Expecting your staff to keep their systems patched means you expect them to exercise due care. Verifying that your staff has patched their systems is an example of due diligence.

Edit: Just realized that came from the Eric Conrad 11th Hour book pg 57"

---

"Due Diligence is the assessment of the risks (identification, likelihood, consequences if realized). That differs from the way this concept is used in related fields: in compliance and audit, due diligence is, instead, keeping current on normative.

Due Care is doing what a reasonable person would do about those risks (e.g. installing and enforcing a policy, executing a procedure, or even nothing when hardening, mitigating or transferring a risk cost more than its consequences; showing due diligence is essential in this case)."

---

"This helped me with the differences:
due Diligence = Detect
due Care = Correct

Management needs to be aware of the risks (detecting the risks ~ due diligence). Management solutions are usually delegated to IT workers (correction of the risk ~ putting controls in place ~ due care)."

gespenstern

Both these are legal terms.

That means if you, let's say, get hacked, and lose HIPAA data, and get audited and, in your futile attempts to defend yourself you claim that you didn't know about the vulnerability the hackers have exploited -- you are subjecting yourself to failing due diligence. If you try to play the card of you knowing about the vulnerability, but not patching it on time because circumstances, you are subjecting yourself to failing due care.

mnashe

All great responses. Thanks for this.

Info_Sec_Wannabe

Based from what I can recall from Kelly's CISSP course, due diligence is the planning and due care is the doing. So +1 for cledford3.

P.S. - For those who watched the videos and listened to the MP3, please feel free to correct me.

franziskaner

Due care - The web developer (Individual, not the company) should act in a reasonable way when they develop the website. Their actions should be consistent with a 'prudent man'.

Due diligence - The developer's management should put in place the relevant policy, procedure and standards that help ensure the company builds websites in a secure manner, including adequate training for staff, checking work meets standards etc.

If the company has all that in place, and secure coding isn't followed because the developer was lazy etc, then it's lack of due care by the developer. If the developer does what they think is best but doesn't have adequate training/procedure/standards etc to guide them, then it's a lack of diligence by the company.

Disclaimer: I could be completely wrong, but that's my take on it from the study material I remember.