More and more companies are finding themselves in the crosshairs of lawyers filing lawsuits against them. That’s become a concern for electronic information managers because the first thing those legal beagles want to sniff is a company’s data stores. That means anything stashed on your Exchange servers is fair game for them. Previous versions of Exchange were weak in preserving data to meet the “discovery” demands generated by lawyers or regulators. Microsoft has changed that, though, with Exchange 2010.

With the arrival of that version of Exchange, administrators at last have a way to preserve documents  that might be needed to fulfill legal obligations imposed on them by outside forces. Placing a hold on a mailbox preserves a user’s deleted and edited items, including email messages, calendar entries and tasks. The hold applies to both the user’s primary mailbox and archive mailbox.

In the RTM version of Exchange 2010, the only way to implement a litigation hold was through the software’s shell structure with a statement like Set-Mailbox -identity “Name” -LitigationHoldEnabled $true. With the arrival of the SP1 beta of the application, though, holds can be created through the Management Console or Control Panel.

To set up a hold using the Console, you go to a mailbox recipient’s configuration and right click on the mailbox to access its properties. From the properties screen, you drill down to the properties settings for the Messaging Records Management item. There you can activate your hold by checking the box beside Enable Litigation Hold. You can also add a URL for a web page describing your organization’s policy governing holds, as well as any comments you may want users to see when they access their mailboxes after a hold has been imposed on them.

Continue reading Exchange SP1 won’t trash your important stuff

In their February 2009 email blog for Travis County, Texas, written by Steven Broberg and Shawn Malone, as government records managers for Travis County, they were debating how best to create an email policy which would support over 4000 end users without adding more confusion about state directives and standards on records retention policies. They proposed three general directions for their email retention policy and asked readers for their feedback.

As I have seen in many enterprises, and as the authors have also noted in their blog, there is always resistance to change that will be encountered anytime new ideas are proposed especially in large enterprises where business processes that are not broken will be defended as not needing to change.

One of their options, “Maintaining the Status Quo”, offered the least resistance by end users to accept as a general direction for records management. And it was also, of course, the least costly. If end users are at the front end of this direction – and also the endorsers – then the back end opponents included: security specialists, lawyers, vendors, NARA, TSLAC, etc.

With option one it is very unlikely that the company could maintain that mode as sooner or later there would be a need for email records that would be the subject of electronic discovery procedures and legal litigation. “Maintaining the Status Quo”, in my opinion, is not a viable option but merely one to list as a possible, though not probable, general email retention direction.

Their second option was to allow every employee using email to be their own records keeper. This direction would include publishing a records management set of rules and guidelines that all email users would have to adhere to. And to assist the employees in staying within the guidelines of a company’s record management policy the IT department would provide tools and training. Continue reading E-Discovery Record Keeping

In Steve Bailey’s blog, http://rmfuturewatch.blogspot.com/, the author has written about his recent attendance at the European Conference on Archiving (ECA) in Geneva in April, 2010. Steve has observed that in previous years at the conference most discussions were about the technical complexities of digital archival, the many different approaches to digital archival practices and the ensuing problems associated with false assumptions.

In earlier years Information Records managers were also concerned with the durability and shelf life of digital media as compared to earlier technologies and referenced against the famous Domesday Book and our electronic counterparts of today.

This year, at the ECA, it was reported to have a different atmosphere with more conversations and subjects revolving around case studies further suggesting that the challenges of archiving digital content material have been met and are almost of a “routine” nature these days. So the question of “can” or “how” do we preserve data without future data loss – and this is of concern to email administrator and IT departments – is now a question of the past.

For email administrators and records managers the concerns of how do we protect our company from not losing data has been replaced with the concern of how do we manage this huge amount of data where no data or emails are in danger of being lost anymore. Indeed, new technologies such as cloud computing are allowing administrators to ask for new tools to help them manage this soon to become massive amount of data that is coming at them like a tidal wave of information that is growing exponentially.

In his blog post on this subject, Steve Bailey, raises the eight-hundred pound gorilla in the room question of what about the growing impact of the cloud and of how safe is it to have your company’s data, emails, company confidential information, etc. stored in the archives of the cloud. More so, he raises the question of how long before they lose that control and what happens then.

I agree with him that these are issues that records managers must plan for when they and their IT departments are working out the details during the initial planning stages of the who and how of data storage as it relates to a company’s data whether it be for emails, their attachments or much larger documents. Continue reading Record Keeping Maturity

The Pyramid of Compliance.

Most business initiatives need employee “buy in” to work and compliance is no exception. Automated systems can impose a degree of uniformity in enforcing initiatives, but where the rubber meets the road will always be where your workforce interacts with your systems. An employee that embraces your policies and procedures can be your best protection from threats like email borne malware, as well as assurance that your organization is complying with industry and regulatory mandates.

How do you focus your people on compliance? Here are five suggestions from Ernie Hardin, founder and owner of 443 Consulting, an information security and business continuity consultancy in North Bend, Wash.

1. Get’em at the Door

Probably the easiest worker to obtain buy-in from is the new hire. He or she is a clean slate without some of the baggage of existing workers. New hires are also eager to please their new employer so they’re more willing to accept your compliance rules.

What should be included in a new hire’s introduction to compliance? A message from your company’s CEO emphasizing the employee’s role in the security of the firm can be very valuable in attaching importance to compliance. Of course the nuts and bolts of external rules and regulations that your business has to comply with–HIPAA for medical facilities, for example, or Sarbanes-Oxley for publicly traded companies–need to be explained, as well as your firm’s appropriate use policy relating to email and Internet usage.

2. Get ‘em Where They Eat

“Brown Bag” training sessions can be a useful approach to getting current employees onboard with your compliance program. The key to making these successful, though, is to bait them with something that appeals to the worker’s self interest. Free lunches are hard to resist, but tailoring your message is important, too. For example, Hardin point out that a session could be structured around computer security at home–a topic  of some importance to most of your workers. Since good security practices at home would overlap good security practices at the office, the session would be killing two birds with one stone.

“Fortunately, this training also reinforces good security habits, which, in turn, employees tend to bring back to the work environment,” Hardin writes.

Continue reading Five ways to focus your workers on compliance

Email retention is a very important component in every company’s day to day business practices. The reasons are many: legal requirements, efficient use of storage, privacy of corporate email messages and others.

Policies and best practices should be clearly stated in every company’s IT department for how best to archive the multitude of emails that accumulate each day.

Here are some of the best practices and considerations for email archival.

1. Indexing and searching capability should be features of all email archival systems. Companies need to be able to respond quickly to requests for old emails particularly when those requests are coming from legal entities outside of the company. Months and months of email messages can quickly become millions of archived messages. IT departments will need to be able to respond to information requests in the least amount of time possible so as to meet any legal requirements necessary. Having a fully indexed archival message system will support the retrieval of any documents or email messages in a short period of time. In addition, being able to respond to requests for archived emails can help to meet discovery or subpoena requests in a timely manner.
2. Audit trails should be another component of any good email archival system. Companies need to secure and track their archived emails to meet the regulations of the various governing bodies such as the SEC (Securities and Exchange Commission) that can request specific emails from them. Audit trails can also be used to prove compliance with reporting regulations such as the Sarbanes-Oxley Act.
3. Complete email integrity needs to be maintained so as to meet the rules of evidentiary standards. Email integrity can be maintained by use of electronic signatures and time stamps of each email that is archived, redundancy of archival systems to provide continuous access to archived emails and encryption of email messages to protect against tampering of original data.
4. Virus scanning of all email messages prior to archival should be an additional step in the archival process so as to ensure not only the integrity of archived email messages but also the protection of email system at the time of retrieval of email messages from the archive system.
5. Support of multiple email systems and protocols is another feature that can help to reduce the number of archive systems that are needed within a corporation. Some of the more widely used email systems that ought to be included in an email archive system include: Microsoft Exchange, Lotus Notes, Novell Groupwise, First Class, standard POP3, SMTP and Imap protocols.
6. Administrators should coordinate with their in-house legal department and with the department managers of the various business units that the IT organization is responsible for supporting. Those department managers may have additional requirements for email archiving of their employees emails based on their applications used and types of businesses they engage in. And legal departments can also provide guidance in the necessary archival rules and regulations which the company as a whole must comply with.
7. Know what time periods are required by specific regulations when determining how long to keep email messages in the archives. Some companies do not routinely rotate their archived email messages out to the bit bucket and as expected continue to drive up their storage and administrative costs unnecessarily. The more email messages that are stored then the more indexes are required and longer search times than are necessary will occur.
8. Designate someone within the IT organization who is the interface to the legal department. In smaller organizations the legal department will most likely be an outside law firm. Schedule regular quarterly reviews of the laws and regulations specific to your industry that have mandates related to email retention requirements. Some of these compliance laws, regulations, and standards that can impact how email is retained include: the Federal E-Discovery Rules; the Health Insurance Portability and Accountability Act (HIPAA); the Gramm-Leach-Bliley Act (GLBA); the Sarbanes-Oxley Act (SOX); the PCI Data Security Standard; the Federal Information Security Management Act (FISMA); the EU Data Protection Directive 95/46/EC; the Basel II Accord and others.
9. Although not considered email, instant messages should also be included as electronic items that can be stored in an email archival system. Within the course of daily activities business communication emails that are received can sometimes start off as instant messages that have been converted into email when the sender was no longer able to communicate with the recipient.
10. The implementation and execution of a good email archival system can save a company much valuable time and money when all contingencies have been taken into account and the planning has been done well.

Retention Policy Tag types available in Exchange Server 2010.

With email playing a critical role in every business’s operations, protecting it has become more important than ever. One way to do that is by archiving it. Unfortunately, some organizations may find the task daunting.

Why? Messages may be stored all over the place–in .PST files, on SharePoint sites, on backup tapes, with third-party providers and in employees’ personal email accounts.

“With the potential of up to 90 percent of your e-mail residing outside of your Exchange Server, it can be daunting to enforce data retention policies or locate relevant communications when compliance matters arise,” Microsoft observed in a White Paper titled “Addressing E-mail Archiving and Discovery with Microsoft Exchange Server 2010.”

Another barrier to email archiving can be worker resistance. Some archiving solutions require both desktop and IT folks to change the ways they do things. Users may need to leave the comfort of their email applications to interact with archived messages. They may also need to learn new clients or applications to work in the new environment. Those things can discourage employee buy-in to the new system.

Not only can those accommodations to change disrupt established workflows of desktop workers, but it can affect an organization’s productivity. For instance, an archival system that doesn’t integrate seamlessly with an existing email setup can disable features in that existing system designed to increase productivity. For example, if the archives were set up outside Exchange, workers might lose the benefits of tools like Conversation View and the “anywhere access” capability of Microsoft’s Outlook Web App.

Similar challenges can confront an IT department. They may have to maintain new add-ons to email and Web apps to adjust to the archive scheme. What’s more, archiving could create a whole new infrastructure that must be made reliable and accessible to users. In addition, search methods that work with an existing system may not work with the new archival system. That can create quite a can of worms when compliance officers, legal departments and human resource people are breathing down an administrator’s neck for data to meet legal or regulatory demands.

Continue reading Dashing barriers to email archiving with Exchange 2010

The Outlook Personal Folders file (PST) had its day.  It was once the ultimate or perhaps only solution to reducing the cost of storing old emails within the Exchange server database.

Those days are largely gone.  Exchange servers can scale up to much larger database sizes than they could 10 years ago.  Disk and tape storage is cheap, and emails themselves are getting larger and larger.  And enterprise email archiving is efficient, cost effective, and even comes built in to the latest version of Exchange Server.

The benefits of the PST format are now close to nil, while all of the problems remain.  PST files are single-user access only, can’t be indexed or easily searched, are sensitive to corruption when they get larger or are being accessed over networks, and consume more space due to their general inefficiency.

But many organizations have a lot of archived emails still stored in PST files.  Moving to a new Exchange server doesn’t magically solve that problem.  The question is what should you do about all those PST files? Continue reading What to do With Those PST Files

On more than one occasion I have worked with a customer whose email archiving strategy could be stated like this.

“When people stop working for us we never, ever delete their mailbox.”

As you might guess from the title of this post, that is not really “email archiving”.  You could call it “email keeping”, but I would put it as “creates more problems than it solves”.

If your email archiving strategy is to have no strategy at all, and that’s a deliberate decision by your organization, then consider some of the problems that you are creating.

• Every mailbox you keep adds to the size of the database, which therefore consumes more disk space, and more backup media
• Larger databases take longer to back up, and longer to recover if there is a problem
• Every mailbox you keep is an active mailbox that can potentially continue to receive emails, increasing your storage needs at a rate faster than necessary
• Every mailbox you keep is also an active user account, leaving a potential attack vector for hackers or disgruntled former staff
• When the time comes to migrate to a new email server, the amount of data to move is that much larger
• Keeping emails in mailboxes on an Exchange server (prior to Exchange 2010 which relatively few organizations have moved to yet) does not make them easily auditable

Email Archiving Solutions

A proper email archiving strategy can be conceived and executed with the right archiving solution.  Here are some of the ways that email archiving can be implemented. Continue reading When Email Archiving Isn’t Really Email Archiving

Ten years ago we measured mailbox sizes in megabytes.  A 20mb mailbox was adequate.  A 100mb mailbox was a luxury.

Today we measure mailbox sizes in gigabytes.  A single message in today’s email communications could easily consume the entire mailbox quota of a decade ago.  We’re sending more email, bigger email, and keeping it longer.

Email server products such as Microsoft Exchange Server have responded to this growth in storage needs with support for more processing power, more efficient database schemas, and improved performance on storage hardware.

In fact, most of the storage performance gains of the last 4 years have been in the efficiency of the Exchange Server product itself, not in the performance capabilities of storage hardware.  Hard disks are getting bigger, but they aren’t getting faster.

As we become more reliant in the ability to retain and access email data quickly it is no surprise that we are storing more and more of it in our mailboxes.  This increase in email storage reveals some new bottlenecks in IT systems – the ability to adequately back the data up.

Backup Challenges

Backups are experiencing similar growing pains to disk storage.  Tape speeds and capacities increase through new generations of the technologies, but when disk speeds and network speeds don’t increase with them there is only so much throughput that you can achieve.  Eventually many larger enterprises reach a stage in which a nightly, full backup of the Exchange system is not possible within the backup window.

Three key technologies have surfaced to help enterprises manage these growth issues with email storage:

• Archiving
• Synthetic Backups
• De-Duplication

Archiving

Email archiving usually involves moving older, less frequently accessed data from the primary storage to a secondary storage system.  The secondary storage system may be built in to the email server, such as Exchange Server 2010’s archiving feature, or it might come in the form of a third party product that integrates with Exchange. Continue reading 3 Technologies for Improving Backup Efficiency for Growing Exchange Environments

Despite the benefits of giving users large electronic mailboxes, many administrators have been reluctant to do so because of the costs and complexity involved. However, those costs can be reduced and that complexity simplified making large mailboxes a more viable solution with Microsoft Exchange Server 2010.

That’s what Microsoft maintains in a recent white paper, “The Microsoft Large Mailbox Vision: Giving users large mailboxes without breaking your budget.” In the document, the company explains how new features in Exchange 2010 can reduce storage costs, as well as improve the operation of existing systems.

What’s wrong with small mailboxes? For one thing, they require user intervention to manage. Users are forced to make decisions on what should be saved, archived or deleted in order to stay within size limits. Not only do those decisions waste valuable time for users, but they can result in important organizational knowledge being trashed.

Faced with the prospect of reviewing an onerous number of emails, some users take shortcuts to avoid the burdensome task. One typical shortcut is dumping emails into .PST files. That creates a whole new set of problems. Universal access to the emails is lost because the files can be accessed only on the machines they were created on. If the files are corrupted, oftentimes there’s no way to recover the data in them. What’s more, since the files are outside the Exchange infrastructure, they can be difficult to search–a serious problem should an organization be hit with an electronic discovery order in a lawsuit.

One way Exchange can reduce the costs associated with larger mailboxes is by allowing organizations to substitute lower performance, higher capacity disk storage for high performance, lower capacity disks.

Continue reading Creating large mailboxes with Exchange 2010