The new Exchange adds features to facilitate compliance, as well as allow companies to take a more proactive stance toward potential violations of compliance standards.
The new policy engine in Exchange 2013 gives administrators more flexibility in managing compliance policies. Not only can they access those policies while they’re at the office, but they can do so online, too.
Through the new Exchange’s Data Loss Prevention (DLP) features, which are based on Exchange Transport Rules — introduced in Exchange 2007, organizations can address compliance problems in real-time.
Exchange 2013 adds a number of predicates and actions to the transport rules found in previous releases of the software. For example, some of the new predicates can be used to detect messages that contain attachments with specific extensions or with executable content, as well as detect messages that exceed a certain size limit or messages sent from a certain IP address range.
New actions in Exchange 2013 can perform functions such as stopping the processing of all subsequent rules on a message or automatically encrypting a message when it’s routed outside an organization.
Through deep content analysis –which includes keyword matches, dictionary matches and expression evaluation — Exchange can scan outbound messages and identify those that may contain sensitive information, information such as Social Security numbers, credit card numbers, driver’s license numbers and passport numbers. Such messages can be blocked or sent to a location where they can be mediated. An incident report on those actions can be automatically generated and sent to compliance watchdogs.
In addition, similar to the MailedTips featured in Exchange 2010, the sender of the message can be alerted that it contains content that violates compliance policies before they send it.
Exchange 2013’s DLP features also give an administrator flexibility in applying compliance policies. For example, application of policies can be customized to groups within an organization. Groups that work with sensitive information, like credit card numbers, as part of their mission could be granted an exemption to the policy rule governing that kind of data.
To get administrators up and running with DLP out of the box with Exchange 2013, Microsoft is including some pre-configured policy templates for compliance with some common business data standards, such as PCI-DSS, Gramm-Leach-Bliley and PII (Personally Identifiable Information), which includes personalized information for specific locales, including France, Germany and Japan.
Templates other than Microsoft’s can also be used in Exchange 2013. Those templates, along with updates to Microsoft’s templates, make it easier for an administrator to cope with changes in the compliance landscape created by new laws or business standards.
Another way that Exchange 2013 can improve compliance is through some new searching capabilities. For instance, you can search for data not only within Exchange 2013 but also in Lync 2013, SharePoint 2013 and on Windows file servers.
In addition, searchers can include proximity matching. That means you can search for a word based on its location in relation to another word. Such a function can be particularly important when trying to comply with electronic discovery requests from lawyers.
While the new features in Exchange 2013 that give administrators a better handle on compliance are powerful, they shouldn’t let that power go to their head. It’s always wise to consult with the compliance and enforcement people in an organization before finalizing policy rules that affect compliance.