Messaging policy and compliance

Applies to: Exchange Server 2013

Email has become a reliable and ubiquitous communication medium for information workers in organizations of all sizes. Messaging stores and mailboxes have become repositories of valuable data. It's important for organizations to formulate messaging policies that dictate the fair use of their messaging systems, provide user guidelines for how to act on the policies, and where required, provide details about the types of communication that may not be allowed.

Organizations must also create policies to manage email lifecycle, retain messages for the length of time based on business, legal, and regulatory requirements, preserve email records for litigation and investigation purposes, and be prepared to search and provide the required email records to fulfill eDiscovery requests.

Leakage of sensitive information such as intellectual property, trade secrets, business plans, and personally identifiable information (PII) collected or handled by your organization must also be protected.

The following table provides an overview of the messaging policy and compliance features in Microsoft Exchange Server 2013 and includes links to topics that will help you learn about and manage these features.

Feature Description Resources
Messaging records management (MRM) To comply with applicable regulations or meet legal or business requirements, organizations include email lifecycle policies as part of their messaging policy. Common questions that should be addressed by these policies include:
  • How long should messages be retained?
  • Where should the messages be retained?
  • Should all messages be retained for the same period?

Exchange 2013 includes MRM features that allow you to implement your organization's email lifecycle policies. You can use MRM to apply uniform retention settings to all messages, use custom retention policies to apply a baseline retention setting for the mailbox, and optionally allow users to classify messages so that they can be retained for a specified duration.

Messaging records management
In-Place Archiving In-Place Archiving helps you regain control of your organization's messaging data by eliminating the need for personal store (.pst) files and allowing users to store messages in an archive mailbox accessible in Outlook 2010 and later and Outlook Web App. In-Place Archiving in Exchange 2013
In-Place Hold When a reasonable expectation of litigation exists, organizations are required to preserve electronically stored information (ESI), including email that's relevant to the case. In-Place Hold allows you to search and preserve messages matching query parameters. Messages are protected from deletion, modification, and tampering and can be preserved indefinitely or for a specified period. In-Place Hold and Litigation Hold
In-Place eDiscovery In-Place eDiscovery allows you to search mailbox data across your Exchange organization, preview search results, and copy them to a Discovery mailbox. In-Place eDiscovery
Journaling Journaling can help your organization respond to legal, regulatory, and organizational compliance requirements by recording inbound and outbound email communications. When planning for messaging retention and compliance, it's important to understand journaling, how it fits in your organization's compliance policies, and how Exchange 2013 can help you secure journaled messages. Journaling
Transport Rules Using Transport rules, you can look for specific conditions for messages that pass through your organization and then take action on them. Transport rules let you apply messaging policies to email messages, secure messages, protect messaging systems, and prevent information leakage. Transport rules
Data Loss Prevention (DLP) DLP capabilities help you protect your sensitive data and inform users of your policies and regulations. DLP can also help you prevent users from mistakenly sending sensitive information to unauthorized people. When you configure DLP polices, you can identify and protect sensitive data by analyzing the content of your messaging system, which includes numerous associated file types. The DLP policy templates supplied in Exchange 2013 are based on regulatory standards such as PII and payment card industry data security standards (PCI-DSS). DLP is extensible, which allows you to include other policies that important to your organization. Additionally, the new Policy Tips capability allows you to inform users about policy violations before sensitive data is sent. Data loss prevention
Information Rights Management (IRM) Information Rights Management (IRM) provides persistent online and offline protection for email messages and attachments using Active Directory Rights Management Services (AD RMS). Information Rights Management
S/MIME Secure/Multipurpose Internet Mail Extensions (S/MIME) allows people who have Microsoft 365 or Office 365 mailboxes and Exchange 2013 and Exchange Online to help protect sensitive information by sending signed and encrypted email within their organization. Administrators can enable S/MIME for these mailboxes by synchronizing user certificates between Microsoft 365 or Office 365 and their on-premises server and then configuring Outlook Online to support S/MIME. S/MIME for message signing and encryption
Mailbox audit logging Because mailboxes can potentially contain sensitive, high business impact (HBI) information and PII, it's important that you track who logs on to the mailboxes in your organization and what actions are taken. It's especially important to track access to mailboxes by users other than the mailbox owner (known as delegate users). Using mailbox audit logging, you can log mailbox access by mailbox owners, delegates (including administrators with full mailbox access permissions), and administrators. Mailbox audit logging

Exchange auditing reports
Administrator audit logging Administrator audit logs enable you to keep a log of changes made by administrators to Exchange server and organization configuration and to Exchange recipients. You might use administrator audit logging as part of your change control process or to track changes and access to configuration and recipients for compliance purposes. Administrator audit logging