Certified Information Systems Auditor (CISA) — Question 1380

When reviewing the functionality of an intrusion detection system (IDS), the IS auditor should be MOST concerned if:

Answer options

• A. legitimate packets blocked by the system have increased.
• B. false positives have been reported.
• C. detected events have increased.
• D. actual attacks have not been identified.

Correct answer: D

Explanation

The correct answer is D because an IDS should be able to identify actual security threats. If no real attacks are detected, it raises concerns about the system's efficacy. Options A, B, and C are important but do not indicate a failure to detect real threats, which is the most critical aspect.