Due care and due diligence are often confused, they are related, but there is a difference between them. Due care is informal, while due diligence follows a process. Think of due diligence as a step beyond due care. For example, expecting your staff to keep their systems patched means that you expect them to exercise due care, while verifying that your staff has patched their systems is an example of due diligence.
[citing from a book written by Eric Conrad, Seth Misenar, Joshua Feldman]
Simple trick to follow when in doubt.
Due Care = DC = Do Correct
Due Diligence = DD = Do Detect
eg:
A routine review of the most current SOC 2 report is a critical part of a cloud customer'sdue diligencefor their cloud service vendor.
There are several approaches to risk mitigation in cloud environments. The start of security is with the selection of a CSP, and a set of documented requirements and comparison of CSP offerings against those requirements is a keydue diligenceactivity.
Designing a supply chain risk management (SCRM) program to assess CSP or vendor risks is a due diligence practice, and actually performing the assessment is an example ofdue care.
in a nutshell, by practicing due care, the organization shows it has taken the necessary steps to protect itself and its workers. By practicing due diligence, the organization ensures that these security policies are properly maintained, communicated, and implemented.
Hope this would clear confusion...
Thanks
Chandra Mouli, CISSP, CCSP, CSSLP
