ABSTRACT
The advent of auditing has been a mixed blessing for information security. On one hand, just about every security practitioner has been working many extra hours to implement a lot of new processes and technologies in time to pass the next audit; in some cases, auditors have been (or are becoming) unreasonable in their expectations. On the other hand, the processes and technologies being implemented are generally good for security, not just for passing audit, and the reality is that most companies would not be spending so much on security if it were not for the newer audit, security, and reporting requirements set forth by legislation such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and others.
