EXC05 Email Discovery and ComplianceOn Ice

1
EXC05Email Discovery and ComplianceOn Ice!

• Devin L. Ganger (3Sharp LLC) deving_at_3sharp.com
• (e)Mail Insecurity http//blogs.3sharp.com/blog/d
  eving/

2
Download the most up-to-date version of these
slides athttp//www.3sharp.com/files/deving/exc0
5.ppt
3
Download the free ebook athttp//www.windowsitli
brary.com/Ebooks/emaildiscovery/Index.cfm

• Published by Windows IT Pro
• Sponsored by iLumin (now CA)
• Registration required

4
Brave New World of Email

• Email is the most powerful driver for corporate
  connection to the Internet
• Email is no longer just about messaging
• Calendaring and scheduling
• Document management
• Contact management
• Primary communication channel
• Every activity of the business day
• SMTP (store and forward) won the standard war

5
Managing the Email Systems Data

• Four key concepts for email management (DCAR)
• Discovery finding messages for litigation.
• Compliance meeting legal and regulatory
  requirements.
• Archival holding on to the messages you need.
• Retention winnowing out the messages you dont
  need.
• All four involve mechanisms, policies, and people
• All four overlap and are facets of the same
  subject

6
What do they need?

• Discovery
• Fast storage and retrieval
• Accurate and comprehensive indexing
• Control over offline mail stores (PSTs)
• Global scope entire messaging system
• Compliance
• Enforcement of required behavior
• Monitoring and auditing
• Goal-oriented guidance vs. specific guidance
• Global scope entire messaging system

7
What do they need? (continued)

• Archival
• Clear requirements from all sources
• Control over offline mail stores (PSTs)
• Long-term storage, indexing, and recovery
• Global scope entire messaging system
• Retention
• Clear requirements from all sources
• Pre-established criteria
• Control over offline mail stores (PSTs)
• Global scope entire messaging system

8
Putting it all together

• All four areas are affected by the same inputs
  SLAs, legal liability, etc.
• Design a unified DCAR solution
• Identify your business drivers
• Relate your drivers to the four components
• Identify affected people and processes
• Identify required features for hardware
  software
• Identify pending changes to messaging system

9
Business Drivers

• Ensure regulatory compliance
• Address IT concerns
• Balancing quotas with information loss
• Meeting backup and restore SLAs
• Controlling and audting access to restricted
  information
• Reducing maintenance on messaging system
• Reducing performance/storage burden on messaging
  system
• Providing an alternative to PSTs

10
Business Drivers (continued)

• Preserve corporate knowledge
• Increase value of the messaging system
• Mitigate impact of litigation
• Deleting the wrong messages
• Searching for the right material
• Documenting and demonstrating policies
• Become proactive

11
Know Your Enemy!

• Regulatory compliance is not the enemy disorder
  is!
• DCAR is your opportunity to change how your org
  views and uses email!

12
Regulatory Overview

• Five major US federal regulations covered, but
  there are more!
• Dont forget state and local!

13
Gramm-Leach-Bliley Act (GLB)

• Three different pieces of legislation
• Financial Modernization Act of 1999
• Financial Institution Privacy Protection Act of
  2001
• Financial Institution Privacy Protection Act of
  2003
• Financial institutions
• Protect customer nonpublic information
• Enforced by multiple federal agencies and by
  states
• Establish controls on customer data to prevent
  unauthorized disclosure (opt-in)

14
HIPAA

• Protect personal health information (PHI)
• Privacy Rule Patients rights over PHI
• Security Rule Safeguards to protect PHI
• PHI should only be access when and where needed
• Documentation is crucial
• Gives discretion to implementer
• No specfic technical measures!
• .but few hard guidelines!

15
Sarbanes-Oxley (SOX)

• Additional oversight for publicly traded
  companies and independent auditors
• Not directly concerned with computer systems
• Covers a lot of ground
• Challenge lack of approved methodologies or
  frameworks
• ISO/IEC 17799
• COBIT
• COSO
• Biggie prevent changes to archived data (WORM)
• Covers all aspects of the company that can affect
  the bottom line
• Not just for Fortune 500!

16
SEC Rule 17a-4

• Establishes criteria for electronic record
  storage of recordkeeping mandated by SEC
• Record retention which ones to keep and when
  they can be stored electronically
• Three key concepts
• Designated third party
• Escrow
• Second copy
• Three-year storage
• First two years accessible

17
USA Patriot Act

• Lets regulators find and correlate unusual
  financial transactions
• List of required capabilities
• Shifts burden of discovery of questionable
  activities to affected financial institutions
• Proactively responsible for detecting and
  reporting computer trespass!

18
Where to find more information

• Compliance Onlinehttp//www.complianceonline.com/
  
• Chapter 2 of the ebook has more details, scorecard

19
Messaging Environment

• Running Exchange 5.5? Upgrade!
• Evaluate your organization you might need to
  change it to get it ready for DCAR!
• AD forests, domains, sites
• Admin and routing groups
• Routing/front-end/bridgehead servers
• Mailbox/public folder servers
• Public folder servers
• Clients
• Mail-enabled applications
• LAN/WAN bandwidth
• Backup and recovery
• Message hygiene
• Message transport security
• Encrypted messages

20
People and Processes

• Establish scope
• Identify business drivers
• Identify supporting benefits
• Establish trust
• Listen first!
• Identify stakeholders
• Identify user needs and concerns
• Identify procedures to update
• Identify a review process
• Identify necessary training

21
Four Fatal Design Flaws

• Pushing the p word
• Letting loose the winds of change
• Engaging in tunnel vision
• Expecting people to change

22
What can you do natively in Exchange?

• Message journaling
• Simple journaling
• Introduced in Exchange 5.5 SP1
• No BCC recipients
• No DL expansion
• No address rewriting
• BCC journaling (Exchange 2000x)
• Add a registry entry
• Exchange 2003 RTM
• Exchange 2000 SP3 KB 810999
• Envelope journaling
• Exchange 2003
• Exchange 2000 SP3 Post-SP3 Update Rollup

23
Other native Exchange capabilities

• Backup/restore APIs
• Message and transport security
• Other technologies
• Event sinks
• Protocol logs
• Message tracking
• Message hygiene APIs

24
What Exchange Cant Do

• PST management
• Policy-based archival
• Indexing and searching
• Consider your search interface Boolean or not?
• Natural language processing
• Access control and auditing
• Integrate with other applications
• Mail-enabled applications (databases)
• IM
• Telephony

25
Finding your DCAR solution

• Pricing model
• Scalability
• Installation complexity
• Backup and restore impact
• Storage impact
• Performance impact
• Maturity

26
Questions?