Standardized Processes can Guide Sample Size
Another consideration for the CCSSA is if the assessed entity uses standardized processes to ensure a consistent output from undertaking a process.
For example, if the assessed entity utilizes build scripts such as Terraform in the provisioning of servers hosting cryptocurrency wallets to ensure consistency of the build process output, then the CCSSA can review the Terraform scripts to ensure they meet the applicable CCSS requirements and only select a small sample-set of servers to review to ensure that the servers were built using the Terraform scripts. The Terraform scripts provide a consistent and measurable output that allows for the sample-set to be small in relation to the total population.
If, however, the assessed entity allows the IT department to build servers as they see fit then the CCSSA will need to ensure the sample-set for the servers is of a high percentage of the total population due to the inconsistency of the build process.
The CCSSA will also need to consider the risk of compromise or failure, and criticality of the components when defining the sample-set size. For our example, if the assessed entity allows the IT department to build servers hosting cryptocurrency wallets as they see fit, then this increases the risk of the build process introducing vulnerabilities. Factoring in the criticality of servers hosting cryptocurrency wallets, the CCSSA may decide to audit all servers hosting cryptocurrency wallets.
Finally, the Auditor Guide section on sampling provides the following guidance below. Which provides some helpful considerations when selecting samples.
Items selected for testing
When identifying the items to be tested, the auditor can use professional judgement, random selection, or a combination of the two techniques.
When identifying items to test using professional judgement the audit should consider factors such as the following:
- Items that are likely to be subject to manipulation;
- Items that are outliers in the general population, etc.
When identifying items using random selection the auditor should make use of a randomized sampling technique such as the following:
- Simple random selection (i.e. using a random number generator within the range of the population)
- Systematic random (Identifying a starting point and then selecting items at a specific interval from this point)“