On a broader scale, the US Dodd-Frank Act addresses record-keeping transparency. The US Comprehensive Capital Analysis and Review (CCAR) framework addresses data quality and management. In Europe, MiFID II addresses data collection processes, while Basel III contains data governance provisions within the context of risk management and capital adequacy concerns.
In China, the Banking and Insurance Regulatory Commission (CBIRC) issued guidelines in May 2018 that include provisions for financial firms, assigning responsibility for setting up data governance systems, data quality control and related incentive and accountability systems.
So, with a good handle on data governance traits and rules, firms may also deploy enterprise data management (EDM) and master data management (MDM) systems as a means to carry out the provisions made in data governance. These systems scrub, enrich and curate data, to standardize how data is defined and produce metadata that helps implement data governance frameworks, with integrity, accountability and security.
With knowledge of the elements of data governance, both as part of a firm’s native efforts and its compliance requirements, management will be better equipped to do business in the markets and lower their operational and regulatory risk.
Due Diligence (DD) is more specific than Due Care (DC) because DD has explicit “standards,” while DC is implicit and relies on a judge’s inner conviction per the prudent man rule.
Due Diligence (DD)
“Investigation” is a generally accepted “standard” of DD across industries. Some laws or regulations may define the standard of DD in certain subject domains. For example, the US regulation, 16 CFR § 682.3, defines the DD standard for the proper disposal of consumer information.
Generally speaking, DD emphasizes investigation as a preventive/proactive measure, establishing and maintaining the management system (policies, standards, procedures, controls, etc.) and ensuring its effectiveness.
Due Care (DC)
DC focuses on exercising best effort and reasonable care to conduct activities and take preventive, detective, corrective, or recovery actions. However, it is not easy to measure the degree of the endeavor of DC. That’s why a defender in the court has to justify he or she has exercised “due care” to the judge.
DD and DC
It’s common for CISSP aspirants to use the following mnemonics:
I really love this old textbook, Ethics and the Conduct of Business by John R. Boatright!
Cybersecurity education is now promoted in high schools in Taiwan. Students are learning the basic concept of cybersecurity and red team and blue team things. I seriously consider our Cybersecurity 101 shall start with “ETHICS.”
The new CISSP exam outline moving ethics to the very first topic has done an excellent job!!
An investigation is the collection and analysis of evidence for specific purposes.
Administrative investigation means an internal investigation of alleged misconduct by an employee. (Law Insider)
Administrative Investigations are conducted by local management, local Personnel Representatives and/or Employee Relations in response to complaints or concerns that generally are personnel related and non-criminal in nature. For example, an administrative investigation may be initiated in response to any of the following conditions or allegations. – A grievance or complaint – Property misuse/damage/theft – Misconduct – Prohibited harassment or discrimination – Threatening, intimidating, or violent behavior – Violation of university policies, rules and/or standards of conduct, or – Violation of law. (NC State University)
A civil investigation uncovers and assembles evidence necessary for a civil trial. A civil trial is a type of court case involving two individual citizens who disagree on an issue that relates to their rights as citizens. For example, if one person sues another for damages caused by a domestic accident, the case will likely be conducted as a civil trial. Civil investigators are responsible for gathering the evidence essential to such a trial. (PI Now)
When civil matters occur, it is the responsibility of each party to properly prepare to defend its position whether going to trial or trying to settle outside of court. Civil cases are disputes between two parties where one party or both parties failed to fulfill an agreement, service, or uphold their legal obligation. (Global Intelligence Consultants)
Regulatory investigation meansa formal hearing, official investigation, examination, inquiry, legal action or any other similar proceeding initiated by a governmental, regulatory, law enforcement, professional or statutory body against you. (Law Insider)
Criminal investigation is an applied science that involves the study of facts that are then used to inform criminal trials. (Wikipedia)
Applied to the criminal realm, a criminal investigation refers to the process of collecting information (or evidence) about a crime in order to: (1) determine if a crime has been committed; (2) identify the perpetrator; (3) apprehend the perpetrator; and (4) provide evidence to support a conviction in court. (JRank)
Investigation Standards, Guidelines, and Protocols