Exchange security, vulnerability assessments and penetration testing don't require multiple, independent experts....
Technologically savvy individuals with the gumption to take on an organization's Exchange-related risks can start with a self-assessment.
At a high level, use the guidance in regulations and standards, such as the HIPAA Security Rule and the ISO/IEC 27002:2013 framework, to implement email security best practices. The goal is to minimize the risks to your Exchange-related systems, and to the information stored on and processed by them. Compare your Exchange security program's technical and operational controls to these requirements, determine where you're deficient and fill in any gaps to put you ahead of most organizations. This includes access control, risk analysis, incident response and disaster recovery. Even if your organization is not required to meet these standards, they are a great starting point for comprehensive risk management.
Review the more prescriptive requirements of the Payment Card Industry Data Security Standard. PCI DSS will show you how to secure a set of critical systems and sensitive information. This industry regulation covers everything from network segmentation to data encryption, to penetration testing and the necessary compensating controls for a cardholder data environment -- all of which can be translated to a highly secure messaging environment. The PCI DSS standard's Self-Assessment Questionnaires help codify its 12 requirements in terms of your business.
- Know what's what. Document the systems you have internally and in the cloud, what sensitive information is being stored on them, how they're being used, your existing policies and plans for addressing security issues in Exchange.
- Understand how everything is at risk. Your messages, calendars, contact lists, and information such as file attachments, endpoints, the communication channels in between everything and everything in storage/retention are all at risk. It is imperative that you know and monitor these areas.
- Do something about it. Tweak your domain password policy and any other Group Policy Objects for system hardening. Secure your mobile devices and even integrate content filtering and/or data loss prevention technologies to ensure everything is reasonably secure. Everything should be demonstrable and defensible in case of an emergency.
Don't stop after your first assessment. Your Exchange environment is always in a state of flux; threats and vulnerabilities are evolving and always eager to creep in.
Protect yourself from these six often overlooked vulnerabilities
Nine questions to determine if native email security tools are enough
Tips and tricks to improve your email security
How will global email impact email security?