J. Peter BruzzeseExchange MVPClipTraining/Pluralsight/InfoWorld

Eliminate the Regulatory Compliance Nightmare

SPR201

J. Peter Bruzzese• Microsoft Exchange MVP• Microsoft Certified Trainer (MCT)• Certifications:• Triple-MCSE (MCSE for NT 4.0/2000/2003)• MCITP: Messaging (2007 and 2010)• A+, Network+, iNet+• CIW, CNA, CCNA… and others

• Co-Founder and CIO of ClipTraining• Technical author with over a dozen books sold internationally• Technical speaker for Techmentor, Connections, MEC and TechEd• Product Reviewer for MSExchange.org for nearly 5 years• Journalist for InfoWorld (Enterprise Windows column) 5+ years• Instructor for Pluralsight on all Exchange 2010/2013 courses

Agenda• Review the purpose of regulatory

compliance (and the fear that it causes along with some creative thoughts to mitigate that fear)

• Review built-in Exchange tools, how they help admins with compliance and what you need to be aware of to ensure you are using them correctly

• Discuss a few third-party options that can assist in meeting regulatory compliance within your environment

“”— Robert Mueller

6th Director of the FBI (2001-2013)

The collapse of Enron was devastating to tens of thousands of people and shook the public's confidence in corporate America.

The Purpose of Regulatory Compliance• In recent years governments all around the globe have

instituted new regulations to ensure greater operational transparency• Some organizations, like the International Organization for Standardization (ISO), create

international standards• Most standards are based and enforced by individual countries

• Regulatory Compliance is the adherence to laws, guidelines and/or specifications by an organization• Key aspects of regulatory compliance from an IT perspective is the retention of data for

extended periods of time and the ability to discover that data if necessary

• Failure to comply is often met with some form of legal punishment (if discovered) including federal fines, and possibly imprisonment

And so maybe you feel like this…

Examples of Regulatory Compliance Laws• Some of the more well-known U.S. and

international regulations :• Sarbanes-Oxley Act of 2002 (SOX)• Security Exchange Commission Rule 17a-4 (SEC Rule 17 A-4)• National Association of Securities Dealers 3010 & 3110 (NASD 3010 & 3110)• Gramm-Leach-Bliley Act (Financial Modernization Act)• Financial Institution Privacy Protection Act of 2001• Financial Institution Privacy Protection Act of 2003• Health Insurance Portability and Accountability Act of 1996 (HIPAA)• Uniting and Strengthening America by Providing Appropriate Tools Required to

Intercept and Obstruct Terrorism Act of 2001 (Patriot Act) • European Union Data Protection Directive (EUDPD)• Japan’s Personal Information Protection Act

Have you seen these…?

Regulatory Burden for IT Administrators• In larger organizations you typically have a legal

team to assist in laying out what you need to do to comply with regulations• Some organizations have compliance officer positions

• Smaller businesses may have a bit more difficulty with knowing right/wrong to comply and this may be a large burden for them• To assist, there is a site called Business.USA.gov that was launched and it provides

small businesses with resources

Alternative Thinking for Compliance• After years of thinking there was only one

approach to regulatory compliance (just do as you are told) I found myself being “schooled” by folks thinking outside the box

• Some organizations have decided (based on legal advice) to retain less… not more… data• One very large cable provider that sends out 1 billion emails each year has a 45 day

Inbox retention and a 15 day backup retention

• The concept is “they cannot discover what we don’t have!”

• While this isn’t legally possible for all companies, there are many who simply have to have a written policy indicating the time frame they agree to retain and hold to it

The Potential Flaw to Alternative Thinking• The flaw in this thinking is quickly discovered

when a lawsuit is presented and the company suing has their proof in hand (and the stronger case as a result)

• Remember… there are TWO sides to every email conversation… the sender and the receiver

• Switching from a “retention” policy to a “deletion” policy may appear to have its advantages (less up front stress being a key plus) but… in a world of excessive litigation it may be better to know as much as the prosecution does

Built-in Tools to Assist in Exchange Regulatory Compliance• Exchange 2013 has built-in tools :• In-Place Archive • In-Place Hold (Legal/Litigation Hold)• In-Place eDiscovery• Messaging Records Management• Journaling• Transport Rules• Data Loss Prevention• Mailbox/Administrator Audit Logging• Information Rights Management

Reviewing Proper Usage• Personal In-Place Archive• Not an archive so much as a secondary mailbox to eliminate the PST

nightmare• Quotas led to PSTs… Enrons led to regulations… the need for

discoverability declared PSTs “bad”… the In-Place Archive solves that problem (and allows admins to keep production mailboxes on high performance disks if the wish)

• In-Place Hold• Typically enabled AFTER a problem is reported • In-Place is better than legacy Legal Hold because without SIS you are

looking at storage bloat

• In-Place eDiscovery• An improvement compared to multi-mailbox search in 2010

Reviewing Proper Usage (cont.)• Messaging Records Management• Relies heavily on end-user participation depending on setup• More about pushing for a cleaner, leaner mailbox

• Journaling• Easy to tamper with and Microsoft doesn’t tout this as an archive

solution but more of a compliance feature with regard to administrative checks and balances (ie. an easy way to review employee/client communications as part of your corporate or legal policies)

• Transport Rules and Data Loss Prevention• Excellent solutions and DLP has been further enhanced with SP1

Reviewing Proper Usage (cont.)• Auditing• Complex to enable and configure (note: only through the

EMS and once enabled you still have to configure specific aspects)

• Informational Rights Management (IRM)• Complex setup (requires AD RMS) and only affects in-house end-users

Tools to Assist with Compliance• Microsoft provides a variety of tools to assist

• For example, PST Capture is a free tool to pull in PST files to your Exchange In-Place Archive

• You may look to third-party tools as well• For example, you may want an archive appliance on-premise or go with a cloud-

based archive solution to provide for another layer of “insurance” and robust end-user options for archive access

• Let’s consider two third-party offerings as examples of a governance/auditing tool and a cloud-based archive solution

Governance and Auidting Tools• Example: KnowBe4’s Compliance Manager

(KCM)• We all know that spreadsheets are not always the best audit tracking tools• KCM helps you state the controls you have in place to meet requirements, delegate

responsibility for those controls and periodically provide evidence that the controls are operating effectively

Cloud-based Archive Solutions• Example: Mimecast’s Email Archiving

• Cloud-based platform that allows for a bottomless mailbox for end users• End user email archive access between mobile devices (Android, iPhone, iPad,

Windows Phone, etc.)• Best part… end-users have no control over archive retention (they can see the emails

but cannot delete the emails) creating enterprise grade discovery while providing a deterrent

QnA and Contact Information

• Email for J. Peter: jpb@cliptraining.com

• Twitter: @JPBruzzese

• Blog: http://www.infoworld.com/blogs/j-peter-bruzzese

11:30-1:30Mimecast Booth

Giveaway and Signing

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.