Skip to content

Page016

Due Care and Due Diligence

Due care is doing what a reasonable person would do. It is sometimes called the “prudent man” rule. The term derives from “duty of care”: parents have a duty to care for their children, for example. Due diligence is the management of due care.

Due care and due diligence are often confused; they are related, but different. Due care is informal; due diligence follows a process. Think of due diligence as a step beyond due care. Expecting your staff to keep their systems patched means you expect them to exercise due care. Verifying that your staff has patched their systems is an example of due diligence.

Gross Negligence

Gross negligence is the opposite of due care. It is a legally important concept. If you suffer loss of PII, but can demonstrate due care in protecting the PII, you are on legally stronger ground, for example. If you cannot demonstrate due care (you were grossly negligent), you are in a much worse legal position.

Though general understanding of major legal systems and types of law is important, it is critical that information security professionals understand the concepts described in the next section. With the ubiquity of information systems, data, and applications comes a host of legal issues that require attention. Examples of legal concepts affecting information security include: crimes being committed or aided by computer systems, attacks on intellectual property, privacy concerns, and international issues.

Compliance With Laws and Regulations

Complying with laws and regulations is a top information security management priority: both in the real world and on the exam. An organization must be in compliance with all laws and regulations that apply to it. Ignorance of the law is never a valid excuse for breaking the law.

Exam Warning
The exam will hold you to a very high standard regarding compliance with laws and regulations. We are not expected to know the law as well as a lawyer, but we are expected to know when to call a lawyer. Confusing the technical details of a security control such as Kerberos may or may not cause a significant negative consequence, for example. Breaking search and seizure laws due to confusion over the legality of searching an employee’s personal property, for example, is likely to cause very negative consequences. The most legally correct answer is often the best for the exam.