Due care is the legal and ethical principle that describes the standard of conduct expected of a reasonable person under specific circumstances. In information security, it means taking the necessary, ongoing actions to protect assets and mitigate risks. This standard requires individuals and organizations to act prudently and responsibly to avoid causing harm or loss, which directly aligns with the "reasonable person" test mentioned in the question.

A. Separation of duties is a security control that divides a critical task among multiple individuals to prevent fraud or error, not a standard of conduct.

B. Due diligence refers to the preparatory investigation and research conducted before taking an action to identify potential risks and liabilities.

D. Least privilege is an access control principle that ensures users are only granted the minimum level of access necessary to perform their job functions.

1. Cornell Law School

Legal Information Institute (LII). "Due Care." The LII

a reputable academic source

defines due care as: "The degree of care that a reasonable person would exercise under the same or similar circumstances." This provides the foundational legal definition.

Source: https://www.law.cornell.edu/wex/duecare

2. NIST Special Publication 800-161 Revision 1

Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. This official publication distinguishes between the two key concepts.

Section 2.3.2

"Due Diligence and Due Care

" states: "Due care is the prudent and responsible execution of the duties and responsibilities associated with a given role or position." This directly supports the concept of ongoing

reasonable action.

3. (ISC)². Official (ISC)² Guide to the CISSP CBK. 6th Edition. CRC Press

2022. This is an official vendor document for a foundational cybersecurity certification whose concepts are shared with the CC.

Chapter 3

"Security Governance Principles

" defines due care as "the standard of care that a reasonable person is expected to exercise in all activities that could potentially harm others." It explicitly contrasts this with due diligence

which is defined as the "process of investigation."