"Due care means that a company did all that it could have reasonable done to try and prevent security breaches, and also took the necessary steps to ensure that if a security breach did take place, the damages were reduced because of the controls or countermeasures that existed. Due care means that a company practiced common sense and prudent management practices with responsible actions. Due diligence meants that the company properly investigated all of their possible weaknesses and vulnerabilities before carrying out any due care practices.
The following list describes some of the actions required to show that due care is being properly practiced in a corporation:
Adequate physical and logical access controls
Adequate telecommunication security, which could require encryption
Proper information, application, and hardware backups
Disaster recovery and business continuity plans
Periodic review, drills, tests, and improvement in disaster recovery and business continuity plans
Properly informing employees of expected behavior and ramifications of not following these expectations
Developing a security policy, standards, procedures, and guidelines
Performing security awareness training
Running updated antivirus software
Periodically performing penetration test from outside and inside the network
Implementing dial-back or preset dialing features on remote access applications
Abiding by and updating external service level agreements (SLAs)
Ensuring that downstream security responsibilities are being met
Implementing measure that ensure software piracy is not taking place
Ensuring that proper auditing and reviewing of those audit logs are taking place
Conducting background checks on potential employees"
Pg. 616 Shon Harris: CISSP Certification All-in-One Exam Guide

Section: Security and Risk Management
Explanation/Reference: https://www.giac.org/paper/gsec/3873/information-warfare-cyber-warfare-future-warfare/106165 (14)

Explanation/Reference:
Explanation:
A deviation from an organization-wide security policy is a 'risk'.
Once a company knows the risk it is faced with, it must decide how to handle it. Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it.
One approach is to accept the risk, which means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value. In this question, if the deviation from an organization- wide security policy will remain, that is an example of risk acceptance.
Incorrect Answers:
B: Risk Assignment would be to transfer the risk. An example of this would be insurance where the risk is transferred to the insurance company. A deviation from an organization-wide security policy does not require risk assignment.
C: Risk reduction would be to reduce the deviation from the organization-wide security policy. A deviation from an organization-wide security policy does not require risk reduction.
D: A deviation from an organization-wide security policy does not require risk containment; it requires acceptance of the risk posed by the deviation.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

Through the use of Public Key Infrastructure (PKI) the recipient's identity can be positively verified by the sender.
The sender of the message knows he is using a Public Key that belongs to a specific user.
He can validate through the Certification Authority (CA) that a public key is in fact the valid public key of the receiver and the receiver is really who he claims to be. By using the public key of the recipient, only the recipient using the matching private key will be able to decrypt the message. When you wish to achieve confidentiality, you encrypt the message with the recipient public key.
If the sender would wish to prove to the recipient that he is really who he claims to be then the sender would apply a digital signature on the message before encrypting it with the public key of the receiver. This would provide Confidentiality and Authenticity of the message.
A PKI (Public Key Infrastructure) enables users of an insecure public network, such as the
Internet, to securely and privately exchange data through the use of public key-pairs that are obtained and shared through a trusted authority, usually referred to as a Certificate
Authority.
The PKI provides for digital certificates that can vouch for the identity of individuals or organizations, and for directory services that can store, and when necessary, revoke those digital certificates. A PKI is the underlying technology that addresses the issue of trust in a normally untrusted environment.
The following answers are incorrect:
The sender and recipient have reached a mutual agreement on the encryption key exchange that they will use. Is incorrect because through the use of Public Key
Infrastructure (PKI), the parties do not have to have a mutual agreement. They have a trusted 3rd party Certificate Authority to perform the verification of the sender.
The channels through which the information flows are secure. Is incorrect because the use of Public Key Infrastructure (PKI) does nothing to secure the channels.
The sender of the message is the only other person with access to the recipient's private key. Is incorrect because the sender does not have access to the recipient's private key though Public Key Infrastructure (PKI).
Reference(s) used for this question:
OIG CBK Cryptography (pages 253 - 254)