Manage Learn to apply best practices and optimize your operations.

Exchange email security best practices sanction self-assessments

Do you have the guts and technology know-how to undertake a self-assessment of your organization's Exchange-related risks? If so, start here.

Exchange security, vulnerability assessments and penetration testing don't require multiple, independent experts....

Technologically savvy individuals with the gumption to take on an organization's Exchange-related risks can start with a self-assessment.

At a high level, use the guidance in regulations and standards, such as the HIPAA Security Rule and the ISO/IEC 27002:2013 framework, to implement email security best practices. The goal is to minimize the risks to your Exchange-related systems, and to the information stored on and processed by them. Compare your Exchange security program's technical and operational controls to these requirements, determine where you're deficient and fill in any gaps to put you ahead of most organizations. This includes access control, risk analysis, incident response and disaster recovery. Even if your organization is not required to meet these standards, they are a great starting point for comprehensive risk management.

Review the more prescriptive requirements of the Payment Card Industry Data Security Standard. PCI DSS will show you how to secure a set of critical systems and sensitive information. This industry regulation covers everything from network segmentation to data encryption, to penetration testing and the necessary compensating controls for a cardholder data environment -- all of which can be translated to a highly secure messaging environment. The PCI DSS standard's Self-Assessment Questionnaires help codify its 12 requirements in terms of your business.

Regardless of the approach to email security best practices, the focus of standards and regulations -- and any self-led information security risk assessment -- is to:

  1. Know what's what. Document the systems you have internally and in the cloud, what sensitive information is being stored on them, how they're being used, your existing policies and plans for addressing security issues in Exchange.
  2. Understand how everything is at risk. Your messages, calendars, contact lists, and information such as file attachments, endpoints, the communication channels in between everything and everything in storage/retention are all at risk. It is imperative that you know and monitor these areas.
  3. Do something about it. Tweak your domain password policy and any other Group Policy Objects for system hardening. Secure your mobile devices and even integrate content filtering and/or data loss prevention technologies to ensure everything is reasonably secure. Everything should be demonstrable and defensible in case of an emergency.

Don't stop after your first assessment. Your Exchange environment is always in a state of flux; threats and vulnerabilities are evolving and always eager to creep in.

Next Steps

Protect yourself from these six often overlooked vulnerabilities

Nine questions to determine if native email security tools are enough

Tips and tricks to improve your email security

How will global email impact email security?

 

This was last published in September 2015

Dig Deeper on Phishing and Email Fraud Protection

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How often does your organization perform a self-assessment to keep up with email security best practices?
Cancel

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close