Differentiate between Due care vs Due Diligence.
Can someone please explain the difference between "due care" and "due diligence"? They seem very similar to one another and after researching more and more, I'm getting confused. One tech book described it like this: Due care is using reasonable care to protect the interests of an organization. Due diligence is practicing the activities that maintain the due care effort. For example, due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Due diligence is the continued application of this security structure onto the IT infrastructure of an organization. Operational security is the ongoing maintenance of continued due
And yet, other online resources have described it like this:
Due diligence is performing reasonable examination and research before committing to a course of action. Basically, "look before you leap." In law, you would perform due diligence by researching the terms of a contract before signing it. The opposite of due diligence might be "haphazard" or "not doing your homework."
Due care is performing the ongoing maintenance necessary to keep something in proper working order, or to abide by what is commonly expected in a situation. This is especially important if the due care situation exists because of a contract, regulation, or law. The opposite of due care is "negligence."
and still another person online phrased it as:
Due Diligence: Performing the necessary research
Due Care: Performing the actions identified as necessary from due diligence These definitions all seem to be a little different from one another. What's real?
Due care vs Due Diligence
The issue is somewhat complicated by the fact that "due diligence" has a distinct, legal meaning in contract law, but since OP added the CISSP tag, I'll confine this answer to the usual meaning in that context. Simply put "due diligence" is what you know, and "due care" is what you do. Absence of "due care" might open you or your company to legal consequences (e.g. not following the law about data protection) while absence of "due diligence" would be more likely to open you up to making a bad decision or business deal. "Due diligence" can also cover the verification (knowing) that "due care" actions have been carried out. This is where most folks get confused. The point is, "diligence" is about knowledge. Knowledge of right- or wrong- doing (care). Have you done your research? Do you know where your assets are? Are your policies being followed? Answering those questions is all "due diligence." "Due care" covers activities like following the policies, applying the patches, and encrypting the data as required by law. Frequently the data custodians are more concerned with exercising "due care" in handling data. Data owners, and management, are frequently more concerned with "due diligence" (e.g. are the policies being followed, and has 'due care' been exercised when handling data). With these ideas in mind, you can re-read the examples cited above, and perhaps they will make a bit more sense together. It can be a subtle distinction, but its an important one. Full disclosure: I've only had my CISSP for about five months. I don't claim my answer is perfect.