CISA Certified Information Systems Auditor – Question1560

When reviewing an intrusion detection system (IDS), an IS auditor should be MOST concerned about which of the following?

A.
Number of nonthreatening events identified as threatening
B. Attacks not being identified by the system
C. Reports/logs being produced by an automated tool
D. Legitimate traffic being blocked by the system

Correct Answer: B

Explanation:

Explanation:
Attacks not being identified by the system present a higher risk, because they are unknown and no action will be taken to address the attack. Although the number of false-positives is a serious issue, the problem will be known and can be corrected. Often, IDS reports are first analyzed by an automated tool to eliminate known false-positives, which generally are not a problem. An IDS does not block any traffic.