Policy as Code: An Audit-Tech Peacekeeper with Mike Leuzinger and Andy Kolenko

SummaryIn this episode, Mike Leuzinger and Andy Kolenko discuss policy as code from a technology and audit perspective. Policy as code extends infrastructure as code, allowing organizations to automate and manage policies across multiple technology stacks. It can enable continuous compliance, self-service for auditors, and more robust controls through automation. However, challenges include dealing with heterogeneity and the complexity of new technologies. Bridging the gap between technologists and auditors is crucial for successful implementation. The conversation explores the challenges and benefits of implementing policy as code in an organization. Mike, Andy, Clariss, and Bill discuss the complexity of keeping up with proprietary schemas and controls and the importance of relying on vendors and industry standards. They also touch on the responsibility of setting and managing Policy as Code, highlighting the industry's lack of established processes and ownership. The conversation emphasizes the need for collaboration between auditors and technology partners and the importance of staying updated on compliance guidance and leveraging tools like Open Policy Agent and the AWS Well-Architected Framework.TakeawaysPolicy as code extends infrastructure as code, enabling organizations to automate and manage policies across multiple technology stacks.Policy as code enables continuous auditing and monitoring, providing more continuous assurance to stakeholders.Self-service for auditors reduces miscommunication and allows them to obtain the necessary evidence without relying on clients.Policy as code strengthens controls through automation, preventing security vulnerabilities from going into production.Challenges of policy as code include dealing with heterogeneity and the complexity of new technologies.Bridging the gap between technologists and auditors is crucial for successfully implementing policy as code. Keeping up with proprietary schemas and controls remains challenging, and organizations should rely on vendors and industry standards to stay ahead.The responsibility for setting and managing Policy as Code is still unclear, and there is a need for more established processes and ownership.Collaboration between auditors and technology partners is crucial for the successful implementation of Policy as Code.