Exchange compliance and security features

Swift used Ask the Experts™

Looking for an engaging way to describe the notion of and difference between eDiscovery, inline hold, Journaling and retention policies within exchange 2013, to a non-technical audience with a real life example that may cover all four elements?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
best is to have a before and after example, very much storytelling - probably a miscreant and insider threat scenario may help to intrigue the investigative mind of the audience and yet bring about the practical capabilities. The retrospective and investigative tactic to sieve through the trolls of data to eventually find evidence of data or IP theft (mystery) and bringing justice (finally truth) may add some "color" to the techie storytelling  

For a start is to understand the need for the below - compare a normal vs using the "enhanced" means in the 4 area named

1) eDiscovery - to detect in a big pool of data of the suspect activities such as email sending outwards to his web email, corresponding with external parties on specific organisation intellectual product yet to release, press comms etc. Keywords search.

Norm-use the Windows Search or manual approach, no script or great UI to automate search Vs Discovery Managers use the new In-Place eDiscovery & Hold wizard to perform eDiscovery searches.

E.g. Keyword statistics After you create an In-Place eDiscovery search, you can get detailed keyword statistics showing you the number of items matched for each keyword. You can use this information to determine if the query has returned the number of messages you estimated. Depending on whether a query is too broad or too narrow, the search may return too many or too few messages. Use this information to fine-tune your query.

E.g. eDiscovery Search Preview After you’ve created an eDiscovery search, you can quickly preview search results. Messages returned from each source mailbox are displayed in search preview. Being able to quickly preview messages allows you to ensure your query returns the content you’re searching and further fine-tune your query.

See the above extract from walkthrough of the

2)  In-Place Hold - There are various "hold" use case, the emphasis here is In-Place Hold allows you to specify a duration of time for which to hold items. So in the storyboarding of the insider, the culprit is attempting to delete away those email correspondence or mail content containing those "sensitive" keyword...never does he know there is such capability to retent information for a duration ..

You can try to talk about the need to configure the Deleted Item Recovery period to the minimum period you want an item to be retained for. But it can be slightly tricky here as it may bring some "confusion".. the period for Deleted Item Retention is calculated from the date of deletion. So deletion date can inadvertently lengthen the retention period..

Here, you start to talk how can we be more surgical on the exact time..such that when we create a time-based In-Place Hold, it is more "accurate" because the hold period is calculated from the item received/creation date, you can guarantee the item won’t be held beyond that period as compared to Deleted Item Recovery period.

Actually, the inline hold indirectly brings about the retention policy. E.g. May be good to run through the normal delete where once a user uses Shift-Delete to delete a message, it is moved to the Recoverable Items\Deletes folder. Any messages from the Deletes folder are purged when the Deleted Items Retention period configured for the mailbox database or the user expires. However, if the mailbox is placed on an In-Place Hold, the item is moved to the Recoverable Items\DiscoveryHolds folder

The juncture now may be good to bring on "immutability" which simply means messages placed on hold must be preserved without alteration. In-Place Hold also helps you preserve content from intentional tampering or modification. This is achieved by performing a copy-on-write (COW) – when the user or any process attempts to modify a message, before the modified message is saved a copy of the original message is made and saved in the Recoverable Items\Versions folder. Items captured in the Versions folder are also indexed and returned in an In-Place eDiscovery search.

The link above bring on good run through...for inline hold and eDiscovery...

3) Journaling - This probably has to highlight it as an enabler for the sleuth as it is a tool in your email retention or archival strategy. So for the scenario, the "investigation" can also include the insider or employee  is held liable for the claims made to their customers. To verify that the claims are accurate, the email system is set up where review can be performed regularly on employee-to-client communications. In a way serves to verify the suspect compliance (at least findings bit and pieces of his misdoings if any). The focus can be journel rule scope on External messages only.

A journel report is next to show which can be generated when a journel rule is triggered. E.g. The original message that matches the journal rule is included unaltered as an attachment to the journal report. The body of a journal report contains information from the original message such as the sender email address, message subject, message-ID, and recipient email addresses.

The link helps with more details

4) Retention policies - this actually relate closely to (1) and (2), so probably you may not want to repeat to much as the emphasis should already be known by the time you reach the conclusion or gather enough evidence to affirm the suspect or insider wrong doing. Probably the point is just to bring in "Retention Policy Tag" that can be further grouped under a retention policy ... meaning having it group all tagged folders for delete purpose

But also the main objective for this policy is actually to do "housekeeping" and not increase mail size since we know the cost can increase with storage size ...kind of enforcement to limit user mail size and tagged for deletion based on organisation policy -

Ultimately, to streamline investigation and housekeeping and at the same time comply with ease. Another link for the configuration

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial