|
Understanding regulatory compliance in general is a daunting task. Researching and understanding the various regulations can be time consuming, and deciphering the legalese can be frustrating. As an Exchange Server administrator, you already know that e-mail is mission critical to your organization. You also know how to administer and maintain Exchange servers. But, how do you make sure that your messaging infrastructure and your e-mail clients' communications are compliant with the legislation that governs how your organization does business?
This whitepaper will describe some of the key legislations that have the potential to impact how you administer and maintain Exchange Servers. It will list the key themes in regards to security compliance. It will also describe security best practices that you can implement in your environment to help you become compliant with these regulations.
It's the Law
It is the type of business that your company does that has the greatest impact on what regulations apply to your e-mail system. Do not make the mistake of thinking that, since you are not a health provider or a financial institution, you do not have any regulatory compliance responsibilities. The following acts of legislation have the largest impact on e-mail security.
HIPAA
The American Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of rules to be followed by health plans, doctors, hospitals, and other health care providers. HIPAA took effect on April 14, 2003. In the health care and medical profession, the great challenge that HIPAA has created is the assurance that all patient account handling, billing, and medical records are HIPAA compliant.
GLBA
On November 12, 1999, President Clinton signed the Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, 106th Cong., 1st Sess. (GLBA). GLBA is the most sweeping legislation affecting banks and other financial institutions since the Depression. Most believe GLBA will have a major impact on cross-industry mergers and affiliations, customer privacy, and lending to lower-income communities.
Sarbanes-Oxley
This act of 2002 is considered to be the most significant change to federal securities laws in the United States since the New Deal. It came in the wake of a series of corporate financial scandals, including those affecting Enron, Arthur Andersen, and WorldCom. Among the major provisions of the act are: criminal and civil penalties for securities violations, auditor independence / certification of internal audit work by external auditors, and increased disclosure regarding executive compensation, insider trading and financial statements.
Patriot Act
Through this act, law enforcement and intelligence agencies are granted unprecedented access to information systems?both public and private?in the United States to locate and prosecute terrorists.
A Common Thread
You do not need to be required to implement security features by an act of legislation to understand why heightened security is important. It has become apparent in today's world just how dangerous it is to leave your messaging system and the data stored in it unprotected. Much of what is required by the various regulations are simply best practices implemented by numerous organizations already. These best practices are usually derived from industry standards.
The question is, how many of these best practices are enabled by default in Exchange Server 2003? The easy answer is: more than in Exchange 2000, and certainly more than in Exchange 5.5. The reality is that it is still not enough. You will have to do some work to make Exchange Server 2003 compliant. The good news is, there are some common actions that any administrator can take that will go a long way to meeting those requirements. What the various acts have in common are requirements for:
- Written security policies
- Secure electronic communications
- Archival of e-mail communications
- E-discovery mechanisms
Compliance Cornerstones
The foundation for a secure messaging environment is an operating system, messaging application, and client that can be locked down and secured. Despite how you may personally feel about the security of Microsoft products, Windows Server 2003 and Exchange Server 2003 can be configured and maintained so that it is extremely secure. One of the paradigms of security is that we must sacrifice features and functionality for a higher level of security. Exchange Server 2003 out-of-the-box is "feature rich".
|
