Email Compliance 671 concern in the private sector include Sarbanes-Oxley, SEC Rules 17a-3 and 17a-4 (which require broker-dealers to create and retain certain records), Gramm-Leach-Bliley, and the Health Insurance Portability and Accountability Act (HIPAA). The public sector is subject to the Freedom of Information Act and the Federal Information Security Management Act (FISMA), among others. For public- and private-sector organizations, protection of pri- vacy information is a primary concern, as well. Internal. Internal compliance is a means of risk mitigation for an organization; examples of risks to be mitigated include corporate liability (criminal or civil), financial loss, privacy breaches, disclosure of intellectual assets, discrimination/harassment, or breach of client/ attorney privilege. By all estimates, the total cost of compliance is steep—a $25 billion price tag in 2005 for the securities industry, according to the Securities Industry Association (SIA)—but the penal- ties for noncompliance can be much steeper, including stock exchange de-listing, multimillion- dollar fines, and even prison terms. By some estimates, up to 90 percent of the compliance costs are staff-related. The functionality introduced in Exchange Server 2007 reduces the com- plexity and lowers the effort required for compliance to meet the needs of many organizations of all sizes. As defined by Microsoft, the primary capabilities required by an email compliance solution are as follows: Message retention. Also defined as the email life cycle (ELC), this includes not only func- tionality to automatically retain email for specified time periods based on specified crite- ria, but the ability to search for and retrieve retained email when required. This capability is particularly important for legal discovery and public-sector access to information requests, as the penalties for noncompliance can be extremely steep. It does no good if the records have been retained but can’t be located when required. Controlled access. Not only must organizations retain specified email as required for compliance purposes, but they also must protect private information and keep data secure from unauthorized access. Organizations need to be able to protect data from unautho- rized access or inadvertent disclosure, both in transit and at rest. Information and process integrity. This capability can include classifying email based on content and processing email according to its classification. It also may include automat- ically copying compliance personnel on relevant email, as well as creating “ethical fire- walls” to prevent conflict-of-interest scenarios, such as communication between stock brokers and market-research personnel in a financial institution. Corporate email policy is the most important component of any email compliance imple- mentation. This component is not a technical document, but a business policy; it should include compliance measures created by your compliance or risk officers based on the relevant laws and regulations for your industry. The email policy also should address areas of risk and potential liability, particularly in the areas outlined at the beginning of this section. 81461.book Page 671 Wednesday, December 12, 2007 4:49 PM 672 Chapter 16  Planning Exchange Server 2007 Compliance Messaging Records Management Exchange Server 2007 introduces messaging records management (MRM). This feature pro- vides the message-retention capability defined in the previous section of this chapter, giving users and the organization the ability to retain or remove messages as required for company policy compliance, government regulations, or legal needs. When the retention limit for an email is reached, it can be deleted or archived, an event can be logged, or the message can be flagged for user attention. MRM also can be combined with message classification and trans- port rules to provide a comprehensive email compliance solution. Messaging records management is composed of the following components:  Managed folders (default and custom)  Managed content settings  Managed folder mailbox policies  Managed Folder Assistant Implementing Compliance Technologies Organizations implement some technologies to enforce policy and impose certain behavior on end users. For example, your organization may wish to enforce retention periods or delete or restrict messages based on content. The technologies discussed in this chapter can fall into this category, especially messaging records management. The introduction of a feature set, such as messaging records management or message clas- sification, may not always be well received by users, who may see it as an intrusion or an obstacle to doing their job. In many cases, this resistance is the result of an unclear or non- existent email policy, insufficient communication to end users regarding the purpose of the new features, lack of upper-management sponsorship, or all of those elements. If you design and present your messaging records management deployment as an aid to the organization rather than as an obstacle to be overcome, then you are much more likely to achieve a suc- cessful implementation that meets the needs of the organization. If you don’t have a clearly defined corporate email policy endorsed by the upper management of your organization, you’re essentially implementing the compliance solutions discussed here by flying by the seat of your pants. As a result, the implementation will likely be a failure in the long run. With a compliance implementation (and any other technology implementation, for that mat- ter), the technology needs to meet the requirements of the business; the business should not have to adapt to the technology. 81461.book Page 672 Wednesday, December 12, 2007 4:49 PM Messaging Records Management 673 Messaging records management is managed through the Exchange Management Console (EMC) mailbox work center, as shown in Figure 16.1. FIGURE 16.1 Messaging records management through EMC The following cmdlets are available for configuring and managing MRM through the Exchange Management Shell (EMS):  Get-ManagedContentSettings  Get-ManagedFolder  Get-ManagedFolderMailboxPolicy  New-ManagedContentSettings  New-ManagedFolder  New-ManagedFolderMailboxPolicy  Remove-ManagedContentSettings  Remove-ManagedFolder  Remove-ManagedFolderMailboxPolicy  Set-ManagedContentSettings  Set-ManagedFolder  Set-Mailbox 81461.book Page 673 Wednesday, December 12, 2007 4:49 PM 674 Chapter 16  Planning Exchange Server 2007 Compliance  Set-MailboxServer  Set-ManagedFolderMailboxPolicy  Start-ManagedFolderAssistant  Stop-ManagedFolderAssistant MRM Requirements To apply a managed folder mailbox policy to a mailbox, that mailbox must reside on an Exchange Server 2007 computer. Mailboxes that have a managed folder mailbox policy applied to them can be accessed via Exchange Server 2007 Outlook Web Access, Outlook 2007, and Outlook 2003 SP2. Outlook 2003 SP2 clients can access the mailbox but will not have access to all the features that are available to Outlook 2007 clients. For example, Outlook 2003 SP2 clients do not see the managed-folder comments as configured in the EMC or EMS. Accessing mailboxes that have managed folder mailbox policies assigned to them with clients running versions of Outlook older than Outlook 2003 SP2 is not supported. Planning MRM Once a corporate email policy is defined, your MRM deployment can be planned, using the policy as a framework. The steps to deploy MRM are as follows: 1. Create managed folders 2. Create managed content settings 3. Define managed folder mailbox policies 4. Apply managed folder mailbox policies 5. Configure the Managed Folder Assistant Managed Folders Managed folders are default and custom folders within mailboxes that have MRM enabled. Man- aged folders are created, then managed content settings are applied to them as required to satisfy corporate email policy. For example, if the corporate email policy states that messages pertaining to client projects are retained for two years and messages containing data covered by a piece of leg- islation that has been introduced named the Privacy Act are retained for 90 days, you would create managed custom folders for this purpose. Managed folders are the most visible portion of messaging records management to end users. They can’t be moved, deleted, or renamed by end users, and all managed custom folders appear in the user’s mailbox under a top-level folder named Managed Folders. The managed folders folder also can’t be moved, deleted, or renamed by end users or administrators. 81461.book Page 674 Wednesday, December 12, 2007 4:49 PM Messaging Records Management 675 Managed Default Folders Managed default folders are folders created in a user’s mailbox by default with or without MRM implemented. These folders include the Inbox, Sent Items, and Deleted Items folders, among others. A complete list of the default folders in a standard Exchange Server 2007 instal- lation is shown in Figure 16.2. FIGURE 16.2 Managed default folders You can create new managed default folders for use in MRM to apply unique settings to certain groups of users. For example, you might want to create a new managed default folder of Inbox type named One-Year Retention with a retention period of one year. The One-Year Retention default folder could then be assigned to users who need those settings rather than the settings assigned to the standard Inbox folder. New instances of managed default folders always display with the standard default name. For instance, in the example outlined earlier, users with the One-Year Retention folder assigned to them would see the folder in their mailbox as Inbox (as the folder is of the Inbox type) rather than the One-Year Retention name assigned to it on creation. Only one managed default folder of any type (Inbox, for example) can be assigned to a mailbox. This is because you can’t assign more than one managed default folder of any folder type in any one managed folder mailbox policy, and you can assign only one managed folder mailbox policy per mailbox. 81461.book Page 675 Wednesday, December 12, 2007 4:49 PM 676 Chapter 16  Planning Exchange Server 2007 Compliance Managed Custom Folders Managed custom folders are created for the express purpose of MRM and appear in a mail- box’s folder list separately from default folders, under a special default folder named Managed Folder. They are created through the Exchange Management Console or the Exchange Man- agement Shell and assigned to users or groups of users. These folders are displayed in Outlook 2007 with a special folder icon, as shown in Figure 16.3. The managed folders are displayed similarly in Exchange Server 2007 Outlook Web Access. FIGURE 16.3 Managed custom folders in Outlook 2007 Using Managed Folders With managed folders, as with many other end-user-facing features, less is generally better. Keeping the number of managed folders to a minimum will make your end users happier and simplify ongoing management of your Exchange Server 2007 system. If users have an over- whelming number of managed folders in their mailboxes, they will find them difficult to use and will be more likely to try to find ways to work around them. However, you need to remember that your users are professionals just like you; they simply have different areas of expertise. Their goal, just like yours, is to do their job; your goal needs to be to design an MRM implementation that allows your end users to do their jobs. They are your customers, after all. 81461.book Page 676 Wednesday, December 12, 2007 4:49 PM Messaging Records Management 677 Creating Managed Folders Exercise 16.1 outlines the steps required to create a managed custom folder for a project named Project 237 using the Exchange Management Console and a second managed custom folder for Privacy Act data using the Exchange Management Shell. A good approach to take is to determine which managed folders can be used by your entire organization, using your corporate email policy as a guide and keeping this number to an absolute minimum. Then, using these folders as a baseline, design additional folders as required to meet the needs of specific departments or sections in your organization. And, at all times, you need to keep it lean and mean; just because you can create hundreds of managed folders doesn’t mean you should. EXERCISE 16.1 Creating Managed Custom Folders Managed custom folders can be created using either the Exchange Management Console GUI or with PowerShell via the Exchange Management Shell. Let’s walk through the steps to create folders using both methods. Using the Exchange Management Console In this section of the exercise, we will create a managed custom folder using the Exchange Management Console. 1. Select Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange Management Console. Within the Exchange Management Console, expand the Organiza- tion Configuration work center, select the Mailbox subnode, and then select the Managed Custom Folders tab in the result pane, as shown here. 81461.book Page 677 Wednesday, December 12, 2007 4:49 PM 678 Chapter 16  Planning Exchange Server 2007 Compliance 2. In the action pane for the Managed Custom Folders tab, select New Managed Custom Folder to start the New Managed Custom Folder wizard. 3. In the New Managed Custom Folder wizard shown below, enter Project 237 in the Name field. (Note that the display name for Outlook is set to the same value as the Name field by default; these can be configured differently if required.) In the comment field, enter Email content related to Project 237; to be retained for two years . Then click New. 4. On the Completion screen of the New Managed Custom Folder wizard, confirm that the command completed successfully, and click Finish. 5. Back in the Exchange Management Console result pane, verify that the newly created Project 237 folder is listed on the Managed Custom Folders tab as shown here. EXERCISE 16.1 (continued) 81461.book Page 678 Wednesday, December 12, 2007 4:49 PM Messaging Records Management 679 Managed Content Settings Managed content settings are applied to managed folders to control the life cycle of items in users’ mailboxes by controlling retention, applying actions to content no longer needed, and journaling relevant content to a storage location outside the mailbox. Managed content settings can be defined for either existing default folders or newly cre- ated managed folders. Retention settings as well as journaling parameters are defined; all settings are defined per managed folder. Retention settings include the length of retention (in days), the definition of when retention starts, and the action to be taken at the end of retention. The following settings are available for defining when the retention period starts:  When delivered, end date for calendar, and recurring tasks  When item is moved to the folder In addition, the following actions can be performed at the end of the retention period:  Move to the Deleted Items folder  Move to a managed custom folder Using the Exchange Management Shell Now we will create a second managed custom folder, this time using PowerShell. 1. Select Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange Management Shell. In the Exchange Management Shell, enter the following cmdlet and press Enter: New-ManagedFolder -Name 'Privacy Act' -FolderName 'Privacy Act' -StorageQuota 'unlimited' -Comment 'Email content containing data covered by the Privacy Act; to be retained for 90 days' 2. Verify the output of the cmdlet as shown here. The newly created folder also can be seen in the Exchange Management Console GUI (you may have to refresh the view by pressing F5). EXERCISE 16.1 (continued) 81461.book Page 679 Wednesday, December 12, 2007 4:49 PM 680 Chapter 16  Planning Exchange Server 2007 Compliance  Delete and allow recovery  Permanently delete  Mark as past retention limit Creating Managed Content Settings Now that we’ve created some managed custom folders, we can configure content settings for these folders. Content settings define the retention policies for the folder and the actions to be taken at the end of the retention period. As with all other features of Exchange Server 2007, the Exchange Management Con- sole GUI is derived from and is a subset of PowerShell as provided in the Exchange Man- agement Shell. This means that, although most functions can be performed through the management console, you will almost certainly find it necessary to learn the PowerShell cmdlets that are being invoked. Doing so will enable you to leverage PowerShell to script and automate management tasks, which in many cases is the only practical approach in a typically complex enterprise environment (which is why this book shows you how to perform each task with both the management console and the equivalent PowerShell cmdlets). We are going to focus on defining managed content settings for custom folders here. The methodology for creating content settings for default folders is essentially identical. Exercise 16.2 outlines the steps to create managed content settings for the managed folders created in Exercise 16.1. We will create the content settings for the Project 237 folder using the GUI and for the Privacy Act folder using a PowerShell cmdlet. EXERCISE 16.2 Creating Managed Content Settings As with managed folders, the managed content settings can be configured with either the Exchange Management Console or the Exchange Management Shell. In this exercise, we will walk through the steps involved in both methods. Using the Exchange Management Console 1. Start the Exchange Management Console using Start  All Programs  Microsoft Exchange Server 2007. Within the Exchange Management Console, expand the Organi- zation Configuration work center, select the Mailbox subnode, and then select the Man- aged Custom Folders tab in the result pane. Highlight the Project 237 folder, then select New Managed Content Settings. 81461.book Page 680 Wednesday, December 12, 2007 4:49 PM [...]... classification is used Messaging Client As stated previously, Exchange Server 2007 message classifications are set by the message sender on outgoing messages in Outlook 2007 and Exchange Server 2007 Outlook Web Access FIGURE 16.12 Message classifications in Active Directory Message classifications are configurable only in Outlook 2007 and Exchange Server 2007 Outlook Web Access, and are visible only... new functionality In Outlook 2007 and Exchange Server 2007 Outlook Web Access, the classification metadata can be used to display visual labels in the form of a user-friendly description of the classification for the recipients and the sender of the email Exchange Server 2007 message classifications are visible only in Exchange Server 2007 Outlook Web Access and Outlook 2007 Message classifications... created on Exchange Server 2007 using PowerShell cmdlets, although there are some predefined default classifications The default user-accessible classifications in Exchange Server 2007 Outlook Web Access are A/C Privileged, Company Confidential, and Company Internal; these are shown in Figure 16 .9 81461.book Page 691 Wednesday, December 12, 2007 4: 49 PM Message Classification FIGURE 16 .9 691 Default... visible in Outlook 2007 and Exchange Server 2007 Outlook Web Access, they may still be of use in your organization The steps to create a transport rule for the Exchange organization to apply the Privacy Act classification would be as follows: 1 Start the Exchange Management Console from Start All Programs Microsoft Exchange Server 2007 Within the Exchange Management Console, expand the Organization... Server\ Scripts directory on the Exchange Server 2007 computer 81461.book Page 696 Wednesday, December 12, 2007 4: 49 PM 696 Chapter 16 Planning Exchange Server 2007 Compliance Next, to use the classification XML file, Outlook 2007 clients also require message classification to be enabled This is done through the registry, by creating the three values shown below: [HKEY_CURRENT_USER\Software \Microsoft\ Office\12.0\Common\Policy]... against threats from inbound email such as malware (viruses, worm, Trojans, and phishing, for example) and spam, little thought has been devoted to the compliance and intellectual-property risks of 81461.book Page 690 Wednesday, December 12, 2007 4: 49 PM 690 Chapter 16 Planning Exchange Server 2007 Compliance internal and outgoing email Messaging records management can assist in dealing with these issues... as shown here Close the message and log out of Outlook Web Access 81461.book Page 699 Wednesday, December 12, 2007 4: 49 PM Message Classification 699 EXERCISE 16.5 (continued) Deploying Message Classifications to Outlook 2007 Clients In this section of the exercise, we will distribute the message classification XML file to the Outlook 2007 client and enable Outlook 2007 for message classification... Console from Start All Programs Microsoft Exchange Server 2007 Within the Exchange Management Console, expand the Server Configuration work center, then select the Mailbox subnode Highlight the mailbox server to be configured in the Results pane, then select Properties from the server section of the Action pane 2 In the Properties dialog for the mailbox server, select the Messaging Records Management... SenderDescription and RecipientDescription fields appropriately for end users 1 Start the Exchange Management Shell from Start All Programs Microsoft Exchange Server 2007 At the PowerShell prompt, enter the following cmdlet and then press Enter 81461.book Page 697 Wednesday, December 12, 2007 4: 49 PM Message Classification 697 EXERCISE 16.5 (continued) New-MessageClassification -Name Privacy -DisplayName... Outlook 2007 For Outlook 2007 users to be able to set message classifications, the classifications must be exported from Active Directory to an XML file, and this file made accessible to Outlook 2007 clients There is an Exchange Server 2007 PowerShell script named ExportOutlookClassification.ps1 provided for this purpose; this script is located in the :\Program Files \Microsoft\ Exchange Server\ Scripts . Wednesday, December 12, 2007 4: 49 PM 672 Chapter 16  Planning Exchange Server 2007 Compliance Messaging Records Management Exchange Server 2007 introduces messaging records management. classification for the recipients and the sender of the email. Exchange Server 2007 message classifications are visible only in Exchange Server 2007 Outlook Web Access and Outlook 2007. Message classifications. folder using the Exchange Management Console. 1. Select Start  All Programs  Microsoft Exchange Server 2007, and then click on Exchange Management Console. Within the Exchange Management