Prevailing conditions relative to the regulatory, threat, and technology landscapes are changing the nature and scope of information security requirements. Providing comprehensive protection for computing systems and associated information assets is not just a good business practice, but in many cases it is now mandated. In addition, what constitutes comprehensive has expanded significantly in recent years. Just implementing a handful of perimeter-based, network-layer countermeasures is no longer sufficient. Todays organizations must account for more points of entry into their networks, more types of resources that require protection, and substantially greater diversity of the threats seeking to exploit any weaknesses that may be present.