In this best practices guide, Microsoft Exchange MVP Mark Arnold delves into both ends of the e-discovery spectrum -- from stringent regulations such as the Sarbanes-Oxley Act (SOX) to less-stringent regulations such as the Federal Rules on Civil Procedure (FRCP). He explains why Exchange Server administrators need to understand what level of regulations and litigation their business is subject to, and how to adhere to these e-discovery requirements through varying degrees of email retention policies, backups and email archiving solutions.
EMAIL ARCHIVING AND E-DISCOVERY BEST PRACTICES FOR EXCHANGE
Part 1: Understand e-discovery regulation levels in Exchange Server networks
Part 2: Meet e-discovery requirements and maintain Exchange performance
Part 1: Understand e-discovery regulation levels in Exchange Server networksA business that either has no email retention policy or has a requirement to retain messages without stringent forensic security measures can adjust its Exchange Server backup regimes and email archiving applications to provide an acceptable level of e-discovery services to an investigating department or agency.
More businesses are subject to regulatory attention -- either formal, stringent regulations such as the Sarbanes-Oxley Act (SOX) or less-stringent regulations such as the Federal Rules on Civil Procedure (FRCP). Exchange Server administrators must understand what levels of regulations businesses are subject to, and what their responsibilities and deliverables might be if asked to provide current or historical information in an investigation. The human resources (HR) department or the federal government could direct this investigation.
Unless you are required to save email, the best service that any Exchange administrator can offer a business is agreeing to a deletion policy. If it's company policy to have no retention policy, that's as legitimate as a policy requiring you to retain months or years worth of messages. Having no email retention policy and enforcing it as such is acceptable to any investigator. It's only a problem if you can't prove that you've deleted messages you say that you haven't retained.
Whatever regulations you must meet, you should concentrate on system backups. Therefore, it makes sense to understand how those backups can provide some form of e-discovery activity, and possibly prevent expensive duplication of tape, disk space or software applications. There are application suites available -- Lucid8 DigiVault and DigiScope among others -- that will back up Exchange servers efficiently, while presenting an interface that allows someone to search for individual messages based on complex and detailed criteria.
It is contradictory to have a backup application-integrated solution that controls backups and facilitates message recovery if your organization allows users to store mail in .PST files on the network or a local workstation. If you suspect that you might be subject to regulatory requirements, or be involved in a business where litigation could be a factor, consider migrating to Exchange Server 2007 and give users enough space to meet storage requirements without resorting to .PST files.
You also should implement Group Policies in Active Directory to prevent users from creating and maintaining .PST files. There is no need to merge .PST files into Exchange Server. They can remain read-only and preserved in a central, administrative location for e-discovery application access, as required.
Share the e-discovery responsibility
It's important that someone else within the company -- not the Exchange Server administrator -- conduct e-discovery tasks. You don't want to be involved in preparing data to be searched as well as sifting through email for relevant messages resulting from those specific search parameters. It's more sensible to have an application that HR or legal departments can use for email searches. You can recover the raw data for them. The business will provide you with dates to work with, but once that information is available, let the business manage any detailed searches.
Getting information out has always been easy. The difficulty is getting it out in a useful format. Keep in mind that not everyone is running Exchange Server and the latest version of Microsoft Outlook. Any e-discovery activity results should be provided in an open format; XML is the preferred format. Provision in PDF format would also be acceptable.
Part 2: Meet e-discovery requirements and maintain Exchange performanceExchange Server administrators can leverage e-discovery requirements to retain and produce large quantities of email on demand with the pressure to maintain a healthy Exchange Server environment. A business at the higher-end of the regulation spectrum, one with clearly defined e-discovery requirements to retain and produce historical email, may gain from a dedicated email archiving and e-discovery solution. It's also important, however, to implement such a solution so that it's beneficial to an Exchange administrator, end users and auditors.
Corporations implement email archiving solutions for a number of reasons.
- If they want to reduce storage on their Exchange servers, but don't have a serious discovery or regulatory requirement, they may implement a third-party add-in tool to separate current email messages from old messages. From an administrator's perspective, these solutions work well. Such tools reduce the size of Exchange databases that are running, allowing backups to run efficiently. Because the archiving run may only occur about once every week, the archive database and content doesn't change, so it gets backed up infrequently.
- It's different for organizations that are heavily regulated and are required to retain email, instant messages (IM) and other electronic communications for several years. In these cases, the archiving solution runs secondary to the e-discovery component. At this point, email archiving products such as Mimosa's NearPoint, Enterprise Vault from Symantec or EAS from Zantaz typically will be evaluated before selecting one with the right functionality/price point for the organization.
The basics remain the same though: remove as much mail as practicable from the running Exchange Server stores at regular intervals and move them into the archive repository. Don't archive too frequently though, as one of the big benefits to archiving is a reduction in tape media or disk space utilization for backups. Once every two weeks should be enough, even down to every month if the traffic on the Exchange server isn't so excessive that it increases storage over the course of a month. You don't want message storage to become unmanageable with the backup infrastructure you have decided to maintain.
Taking as much old and infrequently accessed email out of the Exchange server is only part of the solution. Just because users haven't accessed the email in a considerable amount of time doesn't mean that they won't need the information in the future. Making the archive available in a seamless manner to users helps administrators by reducing and possibly eliminating help desk calls to recover individual messages that users have prematurely shift-deleted.
All email archiving applications offer the configurable capability to publish some or all of an original message in a "stub," so that just enough of the original message is available. Should the entire message or any attachment be required, the user would experience a slight delay as Exchange Server pulls the necessary content from the archiving repository. Don't archive too stringently though. There's no point archiving all email over a 30-day period out of Exchange if a particular department has a 60-day cycle to pull reports based on the previous cycle. Too many enquiries into the archive means that either users will experience undesirable delays when messages are retrieved or the archive application must be installed on a larger system or systems than necessary.
The whole point of implementing the archiving solution is the ability to secure email for search-and-discovery purposes. Archiving and store reduction is an additional bonus, so how should an administrator handle search and discovery?
It's common for IT departments to seek to retain control over the email archiving application, but this should be avoided. Granting the necessary administrative and investigatory teams with individual access to the system will take significant work from overloaded IT departments. Individual departments should work out their own data-protection guidelines to secure against random and unwarranted searches for tenuous reasons. This ensures that searches are fully audited to prevent accusations of probing being leveled at the IT department. That, of course, means necessary training must be given to those conducting searches; and the search interface must be sufficiently intuitive for non-IT professional use.
Database management, archiving and discovery projects go hand-in-hand. Any project will encompass two or all three of these elements. When planning a solution to reduce the overall storage on Exchange Servers, ensure that there isn't a project in place already to secure messages for compliance or similar purposes. When implementing an archiving and discovery project make sure the interface is intuitive and user-friendly and that roles and responsibilities are clearly defined.
|ABOUT THE AUTHOR:|
Mark Arnold, MCSE+M, Microsoft MVP, is a technical architect for Posetiv, a UK based storage integrator. He is responsible for the design of Microsoft Exchange and other Microsoft Server solutions for Posetiv's client base in terms of the SAN and NAS storage on which those technologies reside. Mark has been a Microsoft MVP in the Exchange discipline since 2001, contributes to the Microsoft U.K. "Industry Insiders" TechNet program and can be found in the Exchange newsgroups and other Microsoft Exchange forums.