Due Care and Due Diligence another important constitutive topic in Information Security. I am sure you will find it interesting.
In the earlier article we have discussed and explored on AAA Security topic.
What do you mean by Due Care and Due Diligence?
Very related and interconnected terms to a confusing extent.
The legal definition of Due Care is what a reasonable person would do or act in the same situation or under similar circumstances.
In information security, Due Care (sometimes called Reasonable Care) will be defined as implementing and showing proper and prudent care to protect assets of the corporation.
Due Diligence is taking the necessary actions to maintain and ensure the continuity of the Due Care.
Seems too theoretical, huh?!
Hmm, yes!! and confusing as well!!
Let’s take an example from real life. When driving your car, you should use the seat belt, follow traffic rules, stick to your lane, and care to traffic lights. You should also pay attention to the street/road signs, and stick to the speed limit and never exceed it.
You should not make calls or type write WhatsApp messages. This is what a reasonable car driver should do to avoid having collision or accident, and this is Due Care. Due Diligence is the persistent, continual, and permanent applying and adherence to the above rules.
In Information Security, the Due Care is that a corporation does its best to protect their data and assets through:
- Good understanding of the corporate assets, their importance and criticality.
- The proper and careful design of the security controls required to protect the corporation’s assets.
- Implementing the planned security controls.
- Continuous monitoring of the implemented safeguards in order to make sure they are still effective in protecting assets.
Due Diligence is to continuously apply the above security requirements & actions in order to maintain the corporate data and assets secure.
Mike Chapple’s Video will help you to understand it in more depth
What is the importance of Due Care and Due Diligence?
An important question. To answer it let’s get back to the car driving example: If the driver has an accident, then proving that he was driving safely and acting reasonably (i.e. practicing due care and due diligence) would help him show absence of carelessness or negligence.
In corporate information security: in case of a security breach or data loss that lead to financial loss or financial penalty on the corporation, then showing and proving due care and due diligence will be the only safe way for the corporation’s top management to reduce / avoid accountability of being accused of negligence.
Planning for Security
The process of an organization’s Security Planning is a top-down process in which the organization’s top management initiates the creation, approval, and enforcement of a corporate security policy.
A Corporate Security Policy is high-level document that defines the organization’s security strategy, scope, goals, and objectives. It also distributes and defines responsibilities and roles of all relevant parties in the organization. Security policy is a strategic document (plan). The existence of a security policy gives a good proof that the organization’s top management have made their role in Due Care towards protecting the organization’s valuable assets.
The organization may also have other additional security policies that focus on certain issues. These Issue-Specific Security Policies target multiple security aspects. Common examples of this type of issue-specific security policies are: Email Use Policy, Remote Work Policy, and Physical Security Policy. Also, there are System-Specific Security Policies like: Firewall Policy, Router Security Policy, Server Security Policy, and Encryption Policy.
Having this/these high-level document(s) formulated, approved and published, now it is duty of the middle management to translate the high-level directives in the policy into set of more detailed documents. These detailed documents could be security standards, baselines, guidelines, and procedures.
An organization should have 3 types of plans: Strategic plan, Tactical plan, and Operational plan.
Strategic Plan
A stable long-term plan that defines and specifies the organization’s security objectives, vision, and long-term goals. Strategic plans are prepared for five years use, and should be reviewed and updated on an annual basis.
Tactical Plan
A plan for mid-term use (usually one year) that tackles in details how to achieve the high-level goals and objectives defined in the strategic plan.
Operational Plan
The most detailed plan in the three types is the Operational Plan. It is developed for short-term use, and should be reviewed and updated monthly. Operational plans define the lower-level steps and procedures required to achieve intermediate goals, that when combined they form together the tactical plan goals.
Important Definitions
Security Standards
A Security Standard is a tactical document that specifies the obligatory requirements in terms of technology use (e.g. hardware, software, encryption). Security Standards define the approved list of technologies, vendors, and products to use in order to achieve the objectives dictated by the organization’s security policy.
Security Baselines
A Security Baseline is the minimum acceptable level of security that must be met and complied with by all systems in the organization. Usually, Baselines refer to well-known governmental regulatory standards.
Security Guidelines
A Security Guideline is a document that defines the list of “recommended” best practices. Unlike other documents, Guidelines are non-obligatory and flexible. They could be customized for each case, system, or situation.
Security Procedures
Procedures are the lowest-level, most specific, and most detailed documents among all types of security documents. A procedure is written to describe in detail how to do, implement, or achieve a specific task step-by-step.
Humans Security Policy
The strongest, most modern, and most expensive security controls would be useless if put in the wrong hands or under supervision of a carless employee. People are always seen as the weakest link the security chain.
Therefore, the human element and their serious effect must be taken into consideration in all phases of your security process. To help protect the organization’s assets and data against intentional (malicious) and non-intentional human threats, a set of security rules and principles should be applied.
Separation of Duties
An important security principle that dictates splitting critical and sensitive work functions, and tasks of high importance among multiple staff members. This approach guarantees that no one employee has sufficient power to do alone any sort of malicious actions like: theft, fraud, intended and even un-intended sabotage.
A typical example of Separation of Duties principle is in financial operations, where the operator who issues the financial transaction can’t handle the entire process alone. Instead, a higher-level verifier have to check the transaction and approve it (if legal) or reject it (if seems illegal or suspicious). The verifier should never be allowed to create transactions.
Otherwise, he will be able to issue a transaction and approve it (a complete fraud scenario). In all cases, a higher level supervisor must review and monitor all transactions (issued and verified or rejected), and take immediate actions (if needed) to stop, suspend, or cancel the whole process if something looks suspicious.
Least Privilege Principle
Another important security principle that limits the authority of an individual is the Least Privilege Principle. It means to grant (allow) the employee the minimum access, privilege, and rights needed to achieve his job tasks.
A common example of Least Privilege principle is in database: an operator, developer, or analyst who needs only to read (select) from a table, should never be granted update or drop privileges on the table.
Mandatory Vacations
The organization’s work rules must force every employee to plan and go for a long annual vacation (usually 14 consecutive days). Besides to recharging the employee’s power to return to work with new spirit, a two-weeks’ vacation will make it necessary that another employee replaces and takes over the tasks & responsibilities of the employee in-vacation. This two weeks period is enough for the replacement employee to detect any fraudulent activities done by the first employee.
Job Rotation
Rotating employees over several job roles could also serve security in two ways:
- Preparing efficient replacement in case of emergency situations or incidents that may cause the absence of one or more employees.
- Job rotation makes it easy to detect any fraud, theft, or malicious activities. Given that fact, the possibility of malicious activities’ occurrence will decrease.
Screening and Background Checks
Possible candidates for an open job vacancy should be screened accurately. The degree of the screening process strictness is proportional to the sensitivity and criticality of the job responsibilities.
During the hiring process, a set of necessary procedures are done to check whether a candidate is suitable to the job or not. The procedures include: education verification, reference checks, and background checks. The candidate is required to present on request:
- Original copy of the academic qualification certificate.
- Official Criminal Record Certificate.
- Original copy of Birth Certificate and Personal ID.
- A list of references with their job titles and contacts.
- Medical check results, including drug test.
Non-Disclosure Agreement
The Non-Disclosure Agreement (NDA) is an official document to be signed by employees that they must never (under any circumstances) disclose the organization’s confidential information that they have access to as part of their job. Any form of violation to NDA is met with tough disciplinary actions.
Service Level Agreement
Threats caused by the human element are not only due to insiders (organization’s employees). Other human factors that must be considered are the third parties including external vendors and contractors.
There must be rules that defines, controls, and judges the relation between an organization and third parties working on some projects or supporting the organization. Such governing rules are defined and detailed in a document called Service Level Agreement SLA.
This agreement is signed by both sides (the organization and the third party). Violating the SLA, or failing to provide the minimum adequate level of service defined in the SLA would make the contractor or vendor a target of fire.
This article link is part of our CISSP certification prep series. Which will clear your more doubts on Due Care and Due Diligence
In the next article, we are going to discuss the Risk Management. Another important concept that InfoSec should be aware of. Till that time, stay tuned.
