Home

Editor's Corner

Hollingsworth & Vose
turns to Akibia

Achieving Regulatory Compliance with
Exchange 2007

Application Virtualization
A Citrix Overview

The Check Point Open Performance Architecture

"Must Haves" for Successful Security Management from NetIQ

High End Next Generation Security Appliance from Nokia

Akibia News

Akibia Partners

Contact Akibia

 

akibia

 

 

 

 

Achieving Regulatory Compliance with Exchange 2007
By Christopher Zwergel - Senior Microsoft Consultant - Akibia

The diagram above depicts the overall design of how policy can be applied to control these scenarios.

 

Within previous versions of Microsoft Exchange, Regulatory Compliance was not really addressed and the features that were included were extremely limited in functionality. Due to this lack of enterprise capability and support, many companies looked to third party solutions which provided the level of technology needed for compliance; however the solutions came at a price premium. These solutions were easily adaptable to the limitations of regulatory statutes that a company would need to comply with, such as Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLB), Health Insurance Portability and Accountability Act (HIPAA), FDA CFR 11, Federal Insurance Contributions Act (FICA).

With Exchange 2007, Microsoft has masterfully incorporated functionality learned from studying competitors in this space and adding features requested by its customers. In this article, I will review features that Microsoft has enhanced with new functionality, as well as a few new features that will have a significant impact on the way you address compliancy in your infrastructure. Those topics are:

  • Policy Management
  • Transport Rules
  • Ethical Firewall
  • Managed Folders
  • Envelope Journaling
  • Message Classification

Policy Management

Exchange 2007 boasts a new Policy Management process that provides enforcement and management of email flow control across the enterprise. This new policy engine controls all aspects of message flow. By using sets of conditions and exceptions with a resultant action, the policy engine allows management of messages between mailboxes, journaling, data access control, and message retention.

Transport Rules

Transport Rules are a flexible way to control message routing and content restrictions across the enterprise. They provide an easy and quick way to specify a set of criteria in order to generate a desired action upon inspection of all correspondence. These rules can be defined either on an Edge Transport Server or on a Hub Transport Server. Some common types of uses for Transport Rules are adding disclaimers to outbound messages, scanning the body of messages for keywords, credit card numbers and SSN’s, and blocking specific users from sending correspondence to another user within your organization.

Ethical Firewall

As mentioned above, Exchange 2007 provides the ability to block email transmission between two users within the same organization. This is an instance of setting up an ethical firewall. An ethical firewall ensures that acceptable content is being transmitted between two groups of users. When using a transport rule to achieve this scenario a rule can be configured not only to block correspondence but also to filter based on keywords.

Managed Folders

In Exchange 2003, data retention was achieved by using the Mailbox Manager feature which provided the ability to delete mailbox content based on the age and/or size of the object. Exchange 2007 has enhanced this functionality which is now built into Managed Folders (more commonly referred to as Messaging Records Management).

Organizations set retention policies for all types of mediums within the Unified Messaging landscape such as
e-mail, voicemail and faxes. To manage this process more efficiently, Administrators have the ability to create undeletable containers within the Outlook 2007 interface. This provides them the ability to use criteria-based policies to sort like data. The content is then controlled by the Administrator who has the ability to set a content expiration date. Once the content has expired, there are five options for the content management:

  • Delete and allow recovery
  • Mark as past retention limit
  • Move to a managed custom folder
  • Move to the deleted items folder
  • Permanently delete

These folders provide Administrators and Users with an invaluable tool to manage the compliance process.

Envelope Journaling

Envelope journaling is the process of storing copies of correspondence to a journal mailbox. In Exchange 2000 and 2003, Envelope Journaling was resource intensive and wasteful particularly if you had only a small number of mailboxes for which you had to archive messages. Unless you had the hardware and software available for a separate server, this took away 4 mailbox stores from an Enterprise Version Exchange Server that otherwise could be used for other purposes.

In Exchange 2007, this functionality is more granular and is now provided per individual mailbox. By using journaling rules within your Exchange 2007 Organization you have the ability to specify what correspondence is to be “journaled.” These rules can be limited to per-mailbox and per-distribution list or for the entire organization.

Message Classification

A new feature in Exchange, message classification, provides the ability for Administrators and Users to use either Outlook Web Access (OWA) 2007 or Outlook 2007 to categorize a message based on type. This feature is added to both Outlook interfaces by way of a button. OWA needs to be modified in order to support the use of this feature through its interface. There are 4 standard classifications that are included with Exchange 2007.

  • A/C (Attorney/Client) Privileged
  • Attachment Removed
  • Company Confidential
  • Company Internal

These classification tags are easily customizable and additional tags can be added based on best usage in your organization. The server can then act upon each classification using a Transport Policy as a trigger to perform a certain action. Classifications do not necessarily need to have an action associated with them. They can, in some instances, be purely for informational purposes.

In conclusion, the new policy based management for Regulatory Compliance within Exchange 2007 is the central mechanism behind the new features discussed in this article. It is these new features that make for one of the most compelling reasons to make the jump to Exchange 2007. Whether your organization currently uses Exchange or is considering an Exchange migration, Regulatory Compliance is a serious issue. The features available in Exchange 2007 allow an organization to easily achieve Regulatory Compliance and provide a user friendly environment.

For more information on Akibia's Microsoft services, please contact your Akibia Sales Representative or call
1-866-4-AKIBIA.