What is the difference between due diligence and due care in information security?
Due diligence is a process of establishing a comprehensive plan, procedure, policy and process to safeguard assets and further protect the interest of an organizations from various security threats. It focuses on knowing what should be performed to protect the organizational assets and rigorously planning for it. Senior management and security personnel are legally bound to practice due diligence in conducting their activities. Besides, the failure to exercise due diligence by the senior management and other parties involved may be a liability even though it is not a criminal action.
In order to fully understand due diligence, it is important to have good know how of due care, another crucial concept in cybersecurity. Due care is a concept used to describe the behavior that a reasonable person would practice in a given situation. It relates to the behavior that a reasonable individual would practice to maintain the confidentiality, integrity and availability (CIA) of information and information systems of an organization. Due diligence is therefore a concept that relates to continuously ensuring that the behavior of people meets the due care requirements that organizations establish.
Furthermore, it is the ongoing execution and monitoring of due care practices. Due diligence thus relates to the continuous actions that the organization and its personnel exercise to make sure that assets of the organization are reasonably protected from cyberattacks. Besides, practicing due care and conducting due diligence activities are required to avoid claims of negligence in a court-of-law in cases of security incidents and disasters.