A short explanation on the meanings and differences between liability, due diligence, and negligence.
Normally, if the question is ‘who is ultimately liable’, this is normally Senior Management or Senior Leadership. This does not mean that you as an individual or employee are not liable; this depends on due care.
- Who is to be held accountable?
- Who is to blame if something goes wrong?
- Who should pay if something goes wrong?
Due Diligence and Due Care
As a security professional, due diligence is required to build the security architecture and culture of your organisation; this should include best practices and common protection mechanisms and controls.
Considering due care, the prudent person rule should apply. Think, what would a prudent person do in this situation?
If you are responsible for security architecture and systems and a compromise is discovered, due care and diligence would mean fixing the issue, notifying stakeholders, following security policies and procedures, and ensuring that controls are implemented to prevent the compromise from being reoccuring.
Negligence and Gross Negligence
Negligence (and gross negligence) is the opposite of due dilligence and due care. Neligence ties back into liability, for example:
- If a system under your control is compromised and you can prove you performed due diligence and due care, you are most likely not liable
- If a system under your control is compromised and you did not perform due diligence and due care, you are likely to be liable