News Stay informed about the latest enterprise technology news and product updates.

Exchange email compliance to-do list

Ten tasks every Exchange administrator needs to address to meet today's email compliance requirements.

Exchange email Compliance initiatives typically fall under high-visibility regimes such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), the U.S. Patriot Act or similar. But there are countless smaller regulations, internal corporate information technologies and criminal laws that also affect what goes on inside your email system.

Free Archiving Seminar:
Get independent expert advice on designing and deploying an email and file archiving strategy - register today!

To make sure the proper internal controls have been established around your Exchange email systems, expert and longtime Exchange MVP David Sengupta recommends completing the following 10 compliance-related tasks.


 Step 1: Create an email compliance policy
 Step 2: Get an email archival solution
 Step 3: Evaluate the big picture of email storage
 Step 4: Pay special attention to PSTs
 Step 5: Establish controls and audits for distribution list/group membership
 Step 6: Establish controls for mailbox security and delegation
 Step 7: Establish controls for public folders
 Step 8: Establish controls for Internet SMTP traffic
 Step 9: Establish an e-discovery plan
 Step 10: Identify and eliminate stale objects

Step 1: Create an email compliance policy

Since over 80% of companies now rely on email as their primary means of communication (surpassing the phone), corporate email systems are used for everything from corporate to personal and legal to illicit purposes.

Any company that wishes to avoid troubles related to email usage -- whether regulated under a formal compliance regime or not -- needs to:

  1. Articulate and communicate a clear email policy in writing.
  2. Pass this through human resources and its legal department.
  3. Have all employees read it and sign off.

The policy needs to clearly define what approach the company takes on email usage. For example, is your approach 'anything not explicitly prohibited permitted' or 'anything not explicitly permitted prohibited'? Consequences for policy violation need to be clearly spelled out and enforceable. And, if necessary, corporate management and human resources need to be committed to enforcement.

Return to Top

Step 2: Get an email archival solution

A common reaction to email compliance pain is to go out and purchase an email archival solution from the next vendor who comes calling. Needless to say, if you are mandated to retain any/all of your emails for a given retention period (i.e., one year, seven years, etc.), an archival solution is definitely called for. However, you need to know what to look for.

Two main flavors of email archival solution exist, each with a specific purpose. Most vendors try to throw an all-in-one solution at these distinct problems, though some are starting to address them separately.

The first type of email archive is an operational archive, which is really focused on offloading storage and load from your mission-critical email servers and moving them to a lower-priority archive -- either within lower-priority email storage servers dedicated to the purpose or to external archives of some sort.

The second type of archive is a compliance archive, and is focused solely on meeting the legal requirements around retention. A compliance archive should be able to:

  • Capture all SMTP traffic (i.e., all message parts -- header, subject, body and attachments, all internal and Internet traffic, all inbound and outbound traffic, etc.) for a portion or all mailboxes in a given company.

  • Auto-categorize archived messages for easier reviewing review and auditing, and accommodate numerous retention rules.

  • Capture metadata associated with every message (e.g., BCC information, distribution list/group membership at the time of expansion, Exchange 2003 query-based distribution lists).

  • Store data on unchangeable media.

  • Index archived content.

  • Perform advanced searches to facilitate audits and speed responses to legal or judiciary requirements.

  • De-duplicate and/or single-instance for optimized storage and minimized audit efforts.

  • Allow only authorized auditors to access the archive.

Return to Top

Step 3: Evaluate the big picture of email storage

Archival solutions are great and definitely called for from a compliance perspective. But just rolling out an archival solution does not address all your compliance issues.

Email can generally be found in any of four main "silos" of email storage:

  1. Online data in production email servers.

  2. Offline email data in file systems -- including Outlook PST files, Blackberry, phones and wireless devices.

  3. Backup media -- i.e., daily, weekly, monthly and yearly tapes, both at onsite and offsite locations (and don't forget those old tapes sitting around that no one has bothered to erase).

  4. The archive.

So, if you've just rolled out a shiny new archival solution, that's great. Just don't forget the liability that lurks in all your old backup media, PSTs or other locations. Once you've established retention and destruction policies for email, you need to enforce these across all of the "silos."

And, of course, if you have an archive in place, make sure someone on your compliance team periodically audits what's in it!

Return to Top

Step 4: Pay special attention to PSTs

While I briefly addressed them in the step 2, PST files deserve special mention.

  • Do you allow PSTs?

  • Have you lost visibility on where they all are in your organization?

  • Is there a possibility of sensitive data or corporate intellectual property being stored in or exiting your company through those PSTs?

  • Are there compliance-related risks associated with those PSTs?

If you answered "yes" to any of these questions, you need to take PSTs seriously. Various solutions exist to control use of PSTs -- or even better, migrate them into an archive (inside or outside of your Exchange databases, depending on the type of archive you're using).

Return to Top

Step 5: Establish controls and audits for distribution list/group membership

Distribution list/group membership can provide access to sensitive data and needs to be understood and controlled. Make sure you:

  • Implement procedures or technologies to ensure distribution list/group membership changes go through an approval path or are enforced automatically.

  • Identify distribution lists/groups which routinely receive sensitive company data.

  • Implement some sort of auditing or reporting on distribution list/group membership and review it on a regular basis -- at least for sensitive distribution lists.

  • Do the same for distribution list/group usage -- find out who is using which distribution lists/groups and note any exceptions to standard usage patterns.

Return to Top

Step 6: Establish controls for mailbox security and delegation

Do you know who has been snooping through your inbox lately? Now that I have your attention, let's think about mailbox security and delegation for a moment.

Two common mechanisms for changes to mailbox security and delegation are administrator-initiated and user-initiated.

Administrator-initiated changes can be made subtly without the end user knowing -- and rogue administrators do exist who have abused this authority. Tracking administrator-initiated security events is difficult and requires collection and inspection of security events typically recorded at the operating system level -- i.e., Windows event logs (sometimes in conjunction with Exchange diagnostics logging settings).

User-initiated changes can involve delegation of an entire mailbox or a particular folder (i.e., Outlook Calendar, Inbox) to one or more 'delegates.' Users often lose track of who they have delegated rights to, leaving their data open for perusal and potential violation of compliance-related policies.

Companies should also schedule routine audits of mailbox security settings across the board -- which typically requires some sort of email reporting and auditing solution -- and they should ensure they can answer both the following questions:

  1. Which mailboxes and mailbox folders does Johnny have access to?
  2. Who has access to Johnny's mailbox or his inbox?

Return to Top

Step 7: Establish controls for public folders

From a public folder perspective, companies using Microsoft Exchange systems typically fall into one of two camps:

  1. You've got tight control over top-level public folders

    If this describes you, then you're probably doing pretty well from a compliance perspective. You likely have limited usage of public folders and have managed to keep on top of what public folder usage there is in your company.

  2. You've delegated control to departments or business units

    If you're in this second category -- namely those of you who have delegated rights to other business units -- you may have a bit of a mess on your hands. Chances are you've many stale public folders, have lost track of which public folders are being used, what they're being used for, and by whom.

    Finding out what's stored in public folders and who has permissions to them is important, especially if there's a chance of sensitive data being stored in the public folder hierarchy.

    As with mailboxes, you need to have an analysis and reporting solution that can tell you which public folders Johnny has access to and who has access to every public folder. This is an important component in protecting yourself from compliance-related vulnerabilities.

Return to Top

Step 8: Establish controls for Internet SMTP traffic

Let's face it, there's a lot of liability associated with having an open and hard-to-manage communications channel to the outside world.

Email hygiene and employee productivity issues aside, simply understanding whether Internet email is being used to communicate sensitive financial data, for example -- either to legitimate external parties such as financial audit firms, or to competitors, media or other parties -- is complex and wrought with challenges.

There have been numerous cases in the media of inappropriate data being sent via Internet email -- sometimes completely in error -- including confidential patient records, financial data, insider trading information and the like.

Avoiding such mishaps and breaches of compliance-related policies can involve a combination of user education, auto-signatures, content-scanning Internet gateways and auditing mechanisms; this includes the ability to report on traffic sent to and received from specific Internet domains containing certain subject keywords, message body keywords or attachments.

As a starting point, companies need to pay better attention to where their Internet email is going and investigate capabilities that can respond to compliance-related investigations quickly.

Return to Top

Step 9: Establish an e-discovery plan

On the topic of investigations, a key success factor in effectively responding to any compliance-driven investigations will be your company's ability to rapidly perform electronic discovery (e-discovery) of data in your corporate messaging system.

Again, these investigations can find their mandate in an industry compliance regime or simply within the realm of a corporate IT or HR policy. These could be driven by routine internal audits or mandated as part of a court order. Regardless the source, having to respond to an investigation spanning an entire corporate email system is difficult and time consuming.

An e-discovery plan can be as simple as a section in your overall business continuity plan (you have one, right?) or as complex as a standalone document with accompanying software and license keys that detail all steps required to (try to) find any email anywhere in your company.

The kinds of requests that typically come out of a compliance-related e-discovery request include:

  • The ability to search all messages sent or received by a particular individual (typically starting with CEO, CFO and VP of Finance) going back a given number of years, meaning you need to go back through every backup tape for any server that has contained any of these mailboxes and recover all messages from there.

  • The ability to search globally for any message containing certain keywords, meaning you need to go through all tapes in existence for the mandated timeframe.

Having thought through your response to e-discovery, and the implications on what you retain corporately in each of the four "silos" mentioned in step 2 is key to minimizing risk of compliance-related penalties, including monetary fines, prison terms, public embarrassment, lost reputation, lost revenues and lost opportunity.

Return to Top

Step 10: Identify and eliminate stale objects

The final recommendation that I'll make is to identify and eliminate stale objects in your email environment. With Exchange, this applies specifically to mailboxes, distribution lists/groups, contacts (or custom recipients) and public folders.

The risk with having stale mailboxes or public folders is that these may still be receiving and accumulating sensitive data that an administrator, curious help desk person or other IT staff member could stumble upon as part of their day-to-day activities. Mail-enabled objects, such as distribution lists or contacts (or custom recipients), could be forwarding sensitive data to unauthorized or external recipients, resulting in further breach of policy and possible violation of compliance legislation.

The following are all important elements of cleaning up your email environment to further minimize compliance-related breaches of policy in your organization. You must be able to identify:

  • Mailboxes that have not generated traffic over a given period of time.
  • Distribution lists that have not received mail over a given time period.
  • Public folders that are empty and/or have not been accessed in a given time.
  • Contacts (or custom recipients) that have not received mail over a given time period.

Return to Top

David Sengupta, Microsoft Exchange MVP
David Sengupta (, based in Ottawa, Canada, is a Group Product Manager in Quest Software's Infrastructure Management group and a Microsoft Exchange MVP. He has contributed to Exchange Server books, magazines, and white papers; is a regular Exchange Server columnist and speaker; and speaks at Microsoft Exchange events, Tech-Ed and IT Forum conferences.

Dig Deeper on Microsoft messaging and collaboration services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.