Version: 1.1

Approved By: Richard D’Lonesteen

Created at: 12/10/2023

Purpose: This policy outlines the guidelines and procedures for maintaining an accurate and secure inventory of all software assets using Microsoft Defender for Endpoint. This will help in identifying, managing, and protecting against vulnerabilities associated with these software assets.

Scope: This policy applies to all employees, contractors, and third-parties who develop, manage, or operate software within the ChattyAI infrastructure.

Policy:

1. Software Asset Inventory:
   • The IT Department shall maintain a comprehensive inventory of all software used throughout the organization, leveraging Microsoft Defender for Endpoint capabilities. This inventory will include:
     • Bespoke and custom software developed internally.
     • Third-party software components utilized within any business operations, including open-source software.
   • Details recorded in the inventory will include software name, version, supplier, procurement date, and the purpose of the software within our operations.
2. Responsibilities:
   • The IT Security Manager is responsible for overseeing the implementation of Microsoft Defender for Endpoint for software inventory management.
   • Department Heads are responsible for ensuring that all bespoke and third-party software used within their department is reported and registered in the software inventory.
3. Registration and Approval:
   • Before any software is deployed within ChattyAI, it must be approved by the IT Security Department.
   • Newly acquired software must be verified and registered within the Microsoft Defender for Endpoint to ensure all security features are applied.
4. Inventory Auditing:
   • The software inventory should be audited on a semi-annual basis to ensure accuracy and completeness. Audits will be conducted by the IT Security team.
   • Any discrepancies found during audits must be corrected within a reasonable timeframe, not exceeding 30 days.
5. Integration and Monitoring:
   • Microsoft Defender for Endpoint shall be configured to continuously monitor all registered software assets for vulnerabilities, unauthorized changes, or anomalies.
   • Alerts generated by Microsoft Defender for Endpoint related to software components must be addressed according to the Incident Response Policy.
6. Security Patch Management:
   • The IT Department will utilize Microsoft Defender for Endpoint to identify and apply security patches to software components in a timely manner.
   • All software must be kept up-to-date with the latest security patches to mitigate potential vulnerabilities.
7. End-of-Life Software:
   • Software that has reached its end-of-life or is no longer supported by the vendor must be evaluated and replaced as necessary.
   • End-of-life software will be identified through Microsoft Defender for Endpoint and removed from operational use to prevent potential security risks.
8. Compliance and Reporting:
   • This policy must be adhered to in conjunction with all applicable regulatory requirements and standards.
   • Any deviations from this policy must be reported to and authorized by the IT Security Manager.
9. Training and Awareness:
   • All relevant staff must receive training on this policy and related procedures including how to use Microsoft Defender for Endpoint for software inventory purposes.
   • Continuous education and updates regarding software management best practices will be provided to ensure compliance.

Enforcement: Failure to comply with this policy can result in disciplinary action, up to and including termination of employment. Additionally, breaches of this policy may also lead to legal and financial repercussions against ChattyAI.

Revision and Review: This policy is subject to annual review or more frequently as needed to reflect changes in legal, regulatory, or organizational responsibilities. Changes to this policy must be approved by the Chief Information Security Officer.