📖 What is Due Diligence?
Due Diligence involves conducting thorough investigations and research to gather sufficient information before making decisions or taking actions. It demonstrates a reasonable effort to understand potential risks and liabilities, ensuring informed choices are made regarding security and compliance.
"Due Diligence is about knowing what a reasonable person would know. It’s a proactive investigation process. The exam frequently tests the difference between Due Care and Due Diligence. Failing to perform Due Diligence can also lead to legal repercussions, particularly in mergers or acquisitions."
📚 Certification: Certified Information Systems Security Professional (CISSP)
🔑 What are the Key Concepts of Due Diligence?
- ▸ Due Diligence is a proactive investigation, unlike Due Care which is reactive; both are essential for a strong security posture.
- ▸ It focuses on identifying risks *before* decisions are made, such as mergers, acquisitions, or adopting new technologies.
- ▸ Documentation is critical – demonstrating the steps taken during Due Diligence provides legal defensibility and accountability.
- ▸ Scope varies based on the risk; higher risk scenarios require more extensive investigation and verification of information.
- ▸ It’s not about guaranteeing success, but about demonstrating a reasonable effort to understand potential liabilities.
🎯 How does Due Diligence appear on the CISSP Exam?
You may be asked to identify which security activity demonstrates Due Diligence when a company is considering acquiring a smaller firm with a questionable security history.
A scenario might describe a cloud migration project; expect questions about the steps taken to assess the cloud provider’s security controls as part of Due Diligence.
Expect questions about the legal implications of *failing* to perform adequate Due Diligence before entering into a contract with a third-party vendor.
❓ Frequently Asked Questions
How does Due Diligence differ from Due Care in a legal context?
Due Care is acting responsibly *after* a risk is known, like patching a vulnerability. Due Diligence is investigating risks *before* making a decision, like assessing a vendor’s security before hiring them. Both are needed to avoid negligence.
What types of documentation are important to retain as evidence of Due Diligence?
Keep records of all investigations, reports, risk assessments, vendor questionnaires, and any evidence of verification. This demonstrates a reasonable effort was made and supports legal defensibility.
Can Due Diligence ever be 'enough' to completely eliminate risk?
No. Due Diligence aims to identify and understand risks, not eliminate them entirely. It’s about making informed decisions with a clear understanding of potential liabilities, and mitigating those risks appropriately.