In: Computer Science
In 200 words or more, Describe the role of due care and due diligence in terms of their role in reducing liability exposure.
Effectively, the notion of due care as far as information security goes is something of a double-edged sword. You either wait for regulators and government officials to come out with standards that you need to follow in order to ensure that your organization is truly secure, or you take a more proactive approach. There have been countless organizations and agencies that have waited until the government has stepped in – or until their security has been compromised – before they have taken appropriate measures to ensure their security has been improved.
However, if one was to follow a standard of due care in order to ensure that their information security is not compromised, a certain level of proactivity is necessary. The creation of a culture of security is a priority, across all levels of any organization, in order to protect the organization’s brand – their mark on the world. If the brand becomes associated with a notion that security is not a priority, then organizations have to work especially hard to regain that image in their clients’ eyes.
Due care also means that there is such a thing as bad public relations. Companies don’t want to be known for their information security breaches. That’s a certain way to have their reputations be colored negatively and to lose credibility, in addition to losing that all-important client base.
What we are effectively looking at as far as due care is concerned is ongoing maintenance to ensure things are in proper order. If the due care is implemented as a result of a contract requirement, a regulation, or law, you absolutely must abide by that standard established within. The direct opposite of due care is negligence.
Due diligence is simply a matter of understanding the ins and outs of your information security policies and procedures. However, in order to truly demonstrate due diligence when it comes to information security, businesses must focus a narrow lens on their own information security in addition to being mindful of global laws and regulations which may have an impact on their operations.
There is also the notion that businesses everywhere are trying to cut costs, which may lead to a cutback in focus on due diligence on information security. There are very few businesses that are trying to reduce overall costs lately, and as a result, there’s an increase in outsourcing which, in turn, may lead to increased risk overall. It’s critical for supervisors and board members to provide ongoing supervision to ensure the safety of information assets throughout any outsourcing efforts.
A framework for due diligence should also be made part of the quality assurance process. In doing so, businesses can then cut their potential for risk throughout their information security systems. In addition, businesses could then potentially realize savings and, because they are taking greater care with their information security processes, potentially realize further profits being made.
Put simply, the opposite of due diligence would be “not doing your homework” or simply approaching your work in a haphazard manner. Examples of this as far as CISSP goes would be not examining the terms of the framework and scope of pen testing prior to engaging in the test or going ahead to do the test without ensuring you have the proper authorization to get the job done. Not following the practices of due diligence could lead to your dismissal from a contract or worse, legal trouble because you were caught doing something you shouldn’t be doing.