‘Due Care’ and ‘Due Diligence’ are two concepts that might be more prevalent in the legal system but are also present in the Information security domain as well. They might sound very similar but they are entirely different again.
Due Diligence:
‘Due diligence is being ‘diligent’ and understanding the risks of any business. As an example, understanding that fire, earthquakes, theft, employee discontentment, cyber attacks are the risks to an organization is ‘due diligence’.
Due Care:
On the other hand, ‘Due Care’ as the name suggests is being ‘Caring’ to the risks. Taking care of the risks that were found during the ‘due diligence’ phase is ‘Due Care’.
As an example, in order to overcome the risks found in the ‘due diligence’ phase, an organization might install anti-virus software on their machines, install fire extinguishers at various points in the company, formulate policies pertaining to the company and make sure that they are implemented well.
If an organization does not implement ‘due care’ and ‘due diligence’, they can be charged with negligence.
This is ‘Due Care’ and ‘Due Diligence’ which is one of the important concepts in Information security.
Excellent examples you are giving. In big companies a lot of effort goes into implementing due diligence and care.
Thanks Jai!