Due care 与 Due diligence

Which of the following would VIOLATE the Due Care concept?

o     Security policy being outdated

o     Data owners not laying out the foundation of data protection

o     Network administrator not taking mandatory two-week vacation as planned

o     Latest security patches for servers only being installed once a week

Violating Due Diligence may mean not working diligently enough.

Comment: C choice says there is a mandatory two-week vacation, but he just ignored to do it. Therefore, it is a Diligence issue. Care is made by mandating two-week vacation.

B. Due care is when the necessary steps to help protect the company and its resources from possible risks have been taken. If the information owner does not lay out the foundation od data protection and ensure that the directives are being enforced, this would violate the due care concept. Due diligence is practiced by activities that make sure that the protection mechanisms are continually maintained and operational. The security policy being outdated would be an example of violating the due diligence concept. Any reason could force a network administrator to delay planned vacation. Not taking any vacation would probably violate the company's security policy, thus violating of the due diligence concept. Security patches only being installed periodically could only mean a violation of the due diligence concept if the security policy specified that patches should be installed as soon as available.

The correct answer is ' Data owners not laying out the foundation of data protection ' , if the information owner does not lay out the foundation of data protection and ensure that the directives are being enforced, this would violate the due care concept.

The other answers are incorrect because :

Security policy being outdated is incorrect as it would violate due diligence concept.

Network administrator not taking mandatory two-week vacation as planned is also incorrect as this will also violate due diligence concept.

Latest security patches for servers only being installed once a week is also incorrect as this will violate the due diligence concept.

Reference: Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page:7 , 46.

Last Modifed - 06/08/2007 - S G Krishnan

Comment:

Due diligence is the act of investigating and understanding the risks the company faces. A company practices due care by developing and implementing security policies, procedures, and standards. Due care shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees from possible threats. So, due diligence is understanding the current threats and risks and due care is implementing countermeasures to provide protection from those threats. If a company does not practice due care and due diligence pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence.