Any network traffic that is going to pose a security problem is just blocked. It's just as if the network traffic is purified before it passes on to our networks -- attacks are blocked and prevented from spreading. We just get the reports about how much. It's simple and effective, but we don't trust anything to be foolproof.
There's a danger of putting highly focused policies in place, as costs can outweigh benefits. If you have security turned up to such a level that you can't react because nothing is getting through, then that's not the right level of security.
The problem with Sarbanes-Oxley is that it means 20 different things to 10 different people. There's a tremendous wealth of folklore that has been built up around it in the IT sector. A lot of people are trying to push us into spending money on Sarbanes-Oxley compliance, but I trust our auditors.