Planning for Compliance

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

Microsoft Exchange Server 2007 is designed from the ground up to help users meet compliance requirements. Exchange 2007 offers you several features that help you capture e-mail messages in a user mailbox and as they flow in, through, and out of your organization.

The following list provides several examples of the areas where compliance features in Exchange 2007 can help you become compliant or respond to future discovery requirements:

  • Data retention policies   Many organizations are required to keep data for a specific time and then remove that data to protect privacy.

  • Privacy and confidentiality requirements   Every day organizations transmit sensitive and confidential information through e-mail, both to and from individuals and the organization itself. These organizations have to protect the privacy of individuals and the confidentiality of communications.

  • Ethical walls   Organizations that work with securities and other financial information are frequently required to prohibit communication between specific groups in their own organization.

  • Discovery requests   Organizations are sometimes subject to litigation. As part of this process, litigants can request information from each other. This information frequently comes in the form of e-mail messages.

For more information about the compliance features mentioned here, see Overview of Compliance Features.

Why Compliance Is Important?

Every organization should consider compliance. Every day organizations are required to produce evidence for litigation or to provide documentation to regulatory agencies to prove they are complying with their regulations.

Organizations that consider compliance when they plan their information technology infrastructures, including their e-mail infrastructures, can supply the required documentation on demand with less effort. They can also comply with other regulatory requirements more easily.

On the other hand, organizations that don't consider compliance up-front may find themselves sorting through millions of e-mail messages manually, wasting time and money. Organizations can also be held legally responsible for not complying with laws or regulatory requirements.

Although your organization may have never been subject to litigation or may not be required to follow regulatory requirements, there's a good chance that you handle private and confidential information that may be regulated by laws or regulations in your country or region. It's important that you understand the laws and regulations that apply to your organization and take proactive steps to make sure that you comply with them.

For a list of some of the laws and regulations that may apply to your organization, see Overview of Journaling.

Discussing Compliance in Your Organization

It's important to understand the requirements and obligations that may apply to your organization. If you haven't discussed compliance in your organization, the deployment of Exchange 2007 can be a catalyst for these conversations. Speak with your organization's management and legal representatives to understand the answers to the following questions:

  • Do we handle customer data?

  • Do we have established policies that protect customer data?

  • Do we transmit confidential organizational information through e-mail?

  • Do we control who can view confidential information and where it can be sent?

  • Have we established policies and procedures that help us respond to legal requests for information?

  • Are there laws or regulations that prohibit communication between specific groups in our organization?

  • Are there laws or regulations that require us to remove data after a given time?

This list presents some of the questions that many organizations must answer. The list is not definitive. It provides examples to help you consider some of the issues that may apply to your organization. Your organization may have other issues to consider.

If you already have a solid compliance policy in your organization, talk with your compliance officers and management to help them understand how your organization can use Exchange 2007 as a compliance tool.