Due Care, Due Diligence

在信息安全领域，Due Care实际上是说一个企业要制定各种各样的策略、规程和标准等，用来对企业信息资产的保护，也就是企业应该做的事情；而Due Diligence则是要保证Due Care要做的那些事情要一直保持在最新状态（being continually maintained and operational）。

下面这一道来自互联网的题比较有助于理解：

Which of the following would violate the Due Care concept?

A. Security policy being outdated
B. Data owners not laying out the foundation of data protection
C. Network administrator not taking mandatory two-week vacation as planned
D. Latest security patches for servers only being installed once a week

根据上面的解释：

A - Due Diligence：制定Security Policy是Due Care,但没有更新就是Due Diligence
B - Due Care: 必须要保护数据安全，这个是Due Care,如果你制定了要保护数据安全，但没有做，就是Due Diligence.
C - Due Diligence：要求定期的休假是Due Care,但没有去休假就是Due Diligence
D - Due Diligence：要求打Patch是Due Care；而每周打一次，不能保证时刻保持系统为最新，违反了Due Diligence.

Due Care就是应该做的事情，有点像计划；Due Diligence则要保证Due Care在执行。