Microsoft Exchange is still the runaway standard for business communications, the de facto way to store, distribute, and manage company email for organizations with complex messaging needs. While different companies use the software in their own unique way (e.g. syncing to different mobile devices, connecting to different email clients, etc.), all use it as a centralized server that makes messaging faster, efficient, and more reliable. Having said that, privacy, compliance, and various industry-specific standards often enforce starkly different administration requirements from one niche to the next.
GLBA and Financial Services
Organizations in the financial services sector have to keep quite a few compliance regulations in mind when using Exchange, including the Gramm-Leach-Bliley Act (GLBA). GBLA calls for banks, credit unions, insurance firms, and other financial institutions to protect the client’s private and personally identifiable information. Specific standards of this act include making sure sensitive messages are encrypted when transmitted over insecure networks (like the internet), regulating access to sensitive data, and protecting the hard drives and servers that store confidential information.
IT administrators in financial companies need to get intimately familiar with Exchange configurations that protect both traveling and stationary data. In newer versions, those configurations usually involve the use of encryption. The encryption features allow you to protect the sessions used to transmit email to parties within the organization as well as actual messages. Exchange uses encryption protocols such as TLS and SSL for server to server and client traffic respectively, and information rights management
(IRM) to protect emails and attachments. Administrators can empower users with the ability to protect their own Exchange communications on an individual basis.
HIPPA and Healthcare
Healthcare organizations that run Exchange have their own compliance woes to contend with, and the Health Insurance Portability and Accountability Act (HIPPA) brings some of the most severe to the table. HIPPA calls for hospitals, local clinics, medical centers, and other healthcare organizations to adopt IT security, privacy, and data management standards in order to safeguard patient information. Although the act doesn’t mention email by name, any email messages that contain this type of information must be isolated and protected.
Per HIPPA requirements, all sensitive emails must be retained for up to six years for the sake of security, privacy, complaint documentation, and general medical records. Healthcare organizations can address this need by using the Retention Tags feature in Exchange. Retention Tags make it possible to manage the preservation and deletion of email conversations, folders, and other related content in the inbox. This feature helps companies minimize the risk of penalties by providing an easy way for administrators to keep emails that are critical to compliance, and delete those with no value.
FRCP and the Legal System
The Federal Rules of Civil Procedure (FRCP) generally applies to all organizations that are subject to litigation. If someone can come after your business with a civil lawsuit, these rules affect you. Due to the emergence of digital storage, FRCP has been shaped by eDiscovery amendments that call for organizations to have the ability to quickly retrieve emails and other data stored by digital means should that information prove relevant to a case. Without immediate access to this data, organizations can rack up heavy costs in the legal department, and heavier regulatory penalties in the process.
Unlike HIPPA, FRCP does not require companies to retain email for a certain length of time. However, aspects such as email archiving and visibility become critical when litigation and discovery comes into play. Organizations subject to FRCP can benefit from using the following features in Exchange to increase the efficiency of their archiving and discovery capabilities:
Personal Archive. This feature lets users have a special mailbox associated with their primary inbox. By centralizing Outlook data files on the Exchange Server environment instead of individual desktops, this inbox makes relevant archived information easier to find and manage for compliance purposes.
Legal Hold. This feature saves emails, tasks, appointments and other Exchange data that has been altered or deleted in the Recoverable Items folder. Administrators can configure Legal Hold for individual mailboxes, or across the entire company.
Multi-Mailbox Search. This feature allows administrators to search mailbox items such as emails, contacts, and even encrypted data across the entire organization. Multi-Mailbox Search provides discovery visibility into primary inboxes, Personal Archive mailboxes, and items that have been recovered through intuitive web-based access.
A Word on DLP
Which configurations an organization needs to bother with will obviously depend on how certain standards impact their operation. But when compliance matters, all companies can benefit from using the built-in Data Leak Protection (DLP) system. Exchange 2013 offers new and improved DLP capabilities that allow administrators to create policies that govern how sensitive data is handled in Exchange. For example, you can configure Exchange to scan all messages based on specific keywords, expressions, or rules to make sure users aren’t sharing information that violates company policies.
DLP in Exchange 2013 tops the 2010 edition by using advanced content analytics to effectively dig into emails and determine whether they could be a potential liability. Administrators can configure the Policy Tips setting to warn users that they’re teetering on violating a company policy before they even hit “Send”. It’s also possible to give these DLP configurations a test run before actually enabling them to make sure they don’t disrupt productivity.
In-house vs. Outsourced Exchange Management
Managing a Microsoft Exchange Server deployment is no breezy walk in the park. Administrators have to make sure communication and collaboration flows safely and smoothly as important data streams through various networks, devices, and email clients. It’s even more of a fierce beast to tame when you have compliance requirements to worry about. Because of these challenges and the consequences that come with failing to meet such strict standards, many organizations choose to outsource Exchange administration to third parties who are better equipped to deal with the hassle.
When sizing up the whole package, you could argue that Microsoft Exchange is the best solution around for enterprise communication. Some organizations end up having to mix and match many individual parts to create the functionality it delivers out of the box. Businesses that get the most from this power package are usually those who have an equal understanding of both the opportunities and pitfalls associated with Exchange. The ones that know how to tap into the functionality their organization needs whether they have to extract it themselves or put the burden on someone else.
One of the most challenging aspects of Exchange administration are backup, recovery, and migration, but if you’re using the right tools, it can be a breeze. Learn what StorageCraft Granular Recovery for Exchange can do for your Exchange environment.
Photo Credit: Gavin Schaefer via Flickr