The building blocks for compliance in your messaging system

Messaging compliance is a necessary nightmare for administrators today. The need to comply with or conform to the regulations that have been designed over the past decade has become a necessary burden when establishing your messaging environment. Ignoring the compliance aspects up front while designing and deploying your messaging environment could cost more than time and money later on should litigation require you to produce messaging evidence. Plus, your organization might be held legally responsible should it be found that you are not in compliance with the regulatory requirements.

Each organization is different, so the laws may apply different to each one. Thus, you need to know the requirements for your business; well-known regulations include Sarbanes-Oxley, Health Insurance Portability and Accountability Act (HIPAA), and the Patriot Act. It’s best not to take it upon yourself to study up on the law and but rather to seek out expert messaging architects and legal advice in planning out your messaging infrastructure to be in compliance.

[ Get expert networking how-to advice from InfoWorld’s Networking Deep Dive PDF special report. | Keep up on the latest networking news with our Technology: Networking newsletter. ]

Although you should get expert help on understanding the laws’ requirements for your business, it’s up to you to implement these requirements in IT systems. Some of the issues you’ll have to implement include:

• Data retention: You may be required to retain messaging correspondence for a period of time.
• Privacy and confidentiality: With sensitive data traversing through a messaging system, it’s necessary to ensure that the data is protected.
• Ethical walls: It may be necessary at times to prohibit communication between people within your own company. There are ways around such prohibition, but as far as it depends upon your ability to control the messaging aspect of communication, you need to prove that you’ve done your best.
• Discovery: Litigation against your organization or individuals within your organization may require mailbox content be discovered and handed over for review.

It’s critical to accept that such policies have to be implemented and enforced at the server level, not the user level. In other words, compliance cannot be left up to your users’ management and filing habits (in the case of retention compliance), nor can you simply give your people a talk about “ethical walls” and hope they comply. You need the tools to enforce compliance so that policies you create can be applied continuously — not only for the sake of complying, but so you can prove that your organization did everything it could to comply with the legal requirements governing your business.

That’s where Microsoft Exchange 2010 can help. It has several tools to assist with policy and compliance:

• Transport rules: One of the most powerful tools provided in Exchange is the ability to create transport rules. They are powerful for two reasons. First, the messaging structure of Exchange has all messages going through at least one Hub Transport server and possibly through Edge Transport servers. These are key servers where rules can be applied to messages while in transit. Those rules include conditions, actions, and possibly exceptions. You can use transport rules to prevent inappropriate content from coming in or leaving your environment. You can filter confidential information, track messages, redirect messages, apply disclaimers, and much more.
• Message classifications: Exchange 2010 allows messages to be classified, or tagged, either through a transport rule or manually by a user when creating the email. Essentially, this adds metadata to the message that describes the use or audience of the message. For example, you might attach an Attorney/Client Privileged (A/C Privileged) classification to a message if you are routing an email between a law office and a client.
• Journaling: This is the ability to create a record of all email communications going in and out of your organization. You should have a retention and archiving strategy to meet the compliance requirements that apply to your business, and a journal is a key enabling mechanism for doing so.
• Messaging records management: Users have tons of email that is business-oriented — and tons of email that simply isn’t. If there is no business value to an email, there is no need to retain that content. Messaging records management helps by moving messages into Deleted Items or permanently deleting messages that go beyond a certain retention time. Those messages may also be journaled at the same time so that they aren’t lost.
• Personal archive: One of the biggest headaches to the compliance world is the fact that mailbox size restrictions have many users storing data locally on their systems through .pst files. This can make discovery a costly endeavor — and perhaps an impossible one. With Exchange 2010, users can now have a personal archive added to their mailbox that is retained on the servers themselves. This provides an alternate storage location without having it reside on the desktop, so it can be managed appropriately with compliance in mind.

Two other useful capabilties in Exchange 2010 include its information rights management and the ability to use the Exchange Control Panel to perform multiple-mailbox e-discovery searches for data. It can also establish a “legal hold” when there is some expectation that a legal situation is brewing for specific users; this hold ensures that all items are retained in a way that is transparent to the user.

Depending on your environment, these tools may be all that you need to be in compliance with legal requirements. In some circumstances you may have other solutions in play. What tools are you using to be in compliance?

This article, “The building blocks for compliance in your messaging system,” was originally published at InfoWorld.com. Read more of J. Peter Bruzzese’s Enterprise Windows blog and follow the latest developments in Windows at InfoWorld.com.