John Smith posts an interesting question about policy framework and due diligence today as follows:
Due diligence, generally speaking, is a cautious investigation that informs decision-making or a course of proactive and preemptive actions. Due care is the reasonable care used by a prudent man to implement the decision, exercise one’s duties, or conduct any activities; negligence, or without exercising due care, might lead to litigations.
Due diligence can be explicitly measured by a standard, while due care is implicit and determined by court judges.
Standard of Due Diligence
The definition of due diligence varies across contexts or industries. There should be a “standard of due diligence” for each context to measure if due diligence is fulfilled. For example, a lawyer is subject to legal due diligence. Kayode Omosehin, Esq. has a good explanation of this topic.
However, when it comes to information security, what is the standard of “security due diligence,” and who is subject to the standard? The CISSP CBK 4th edition proposed a list of tasks as the following diagram shows:
The management is typically in charge of the creation of Policies, Standards, or Procedures (or policy framework). IMO, setting up the policy framework is the management’s due diligence as policies stand for management intention, and the fact that policies entail informed decisions is proactive in nature.