The Madness of Sampling standard

The PCI DSS instructs assessors to sample certain parts of the population when validating compliance. According to the PCI DSS, the sample “must be a representative selection of all of the types and locations of business facilities as well as types of system components, and must be sufficiently large to provide the assessor with assurance that controls are implemented as expected.” That often leads to the next two questions—the answers to which tend to vary among assessors: What do you mean by representative selection (or how many is representative)? What do you consider sufficiently large to gain assurance? In the audit world, internal auditors that review IT systems will look to statistically valid samples as a method to determine how ...
Continue Reading