Planning for Compliance
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2009-12-09
Microsoft Exchange Server 2010 is designed to help users meet compliance requirements. Exchange 2010 offers you several features that help you capture, protect, modify, retain, and discover e-mail messages in a user mailbox as the messages flow in, through, and out of your organization.
The following list provides several examples of the areas where compliance features in Exchange 2010 can help you become compliant or respond to future discovery requirements:
Data retention policies Many organizations are required to keep data for a specific time and then remove that data to protect privacy. To learn more, see Understanding Messaging Records Management.
Privacy and confidentiality requirements Every day organizations transmit sensitive and confidential information through e-mail, both to and from individuals and the organization itself. These organizations have to protect the privacy of individuals and the confidentiality of communications. To learn more, see Understanding Information Rights Management.
Ethical walls Organizations that work with securities and other financial information are frequently required to prohibit communication between specific groups in their own organization. To learn more, see Understanding Ethical Walls.
Discovery requests Organizations are sometimes subject to litigation. As part of this process, litigants can request information from each other. Because most business communication occurs over e-mail, complying with discovery requests requires the ability to search mailbox content, including e-mail messages and attachments. To learn more, see Understanding Multi-Mailbox Search.
Every organization should consider compliance. Every day organizations are required to produce evidence for litigation or to provide documentation to regulatory agencies to prove they're complying with regulations.
Organizations that consider compliance when they plan their information technology infrastructures, including their e-mail infrastructures, can supply the required documentation on demand with less effort. They can also comply with other regulatory requirements more easily.
On the other hand, organizations that don't consider compliance up-front may find themselves sorting through millions of e-mail messages manually, wasting time and money. Organizations can also be held legally responsible for not complying with laws or regulatory requirements.
Although your organization may have never been subject to litigation or may not be required to follow regulatory requirements, there's a good chance that you handle private and confidential information that may be regulated by laws or regulations in your country or region. It's important that you understand the laws and regulations that apply to your organization and take proactive steps to make sure that you comply with them.
For a list of some of the laws and regulations that may apply to your organization, see Understanding Journaling.
It's important to understand the requirements and obligations that may apply to your organization. If you haven't discussed compliance in your organization, the deployment of Exchange 2010 can be a catalyst for these conversations. Speak with your organization's management and legal representatives to understand the answers to the following questions:
Do we handle customer data?
Do we have established policies that protect customer data?
Do we transmit confidential organizational information through e-mail?
Do we control who can view confidential information and where it can be sent?
Have we established policies and procedures that help us respond to legal requests for information?
Are there laws or regulations that prohibit communication between specific groups in our organization?
Are there laws or regulations that require us to remove data after a specific time?
This list presents some of the questions that many organizations must answer. The list isn't definitive. It provides examples to help you consider some of the issues that may apply to your organization. Your organization may have other issues to consider.
If you already have a solid compliance policy in your organization, talk with your compliance officers and management to help them understand how your organization can use Exchange 2010 as a compliance tool.