exchange365 risk assessment

Our external risk team want to review our organisations email systems. At present it is half "on-premise" and half in the cloud via outlook/exchange365. The on premise is v2013 of Exchange.

What realistically should/could they look at in relation to the cloud email infrastructure (i.e. exchange365)? Are there any tools/scripts/best practice guides for such setups?

For the on-premise you can look at stuff like security configuration of the servers, mailbox DB backup policies, mailbox security access controls, etc etc
LVL 3
pma111Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
frrom various sources but Microsoft Office 365 is compliant with  ISO 27002 standard on information security practices and techniques to build a control matrix that includes firewalls, anti-virus patching and other controls drawn from the payment card industry's data security standard and also ยง  ISO 27001, Safe Harbor,   SSAE16 SOC1 Type II, SOC2 Type II,  FISMA regulations.  All of the drives are encrypted using bitlocker, all of the accessing servers are constrained with applocker and only processes s that are needed to access/modify the data are white-listed (they use a white list vs a black list policy).  Users with admin privileges don't have physical access and the converse is also true. for those with physical access don't have admin privileges
0
 
pma111Author Commented:
So are you basically saying "there is no point"...
0
 
David Johnson, CD, MVPOwnerCommented:
There isn't much you can do since the data is more compliant and safer than anything smaller than a major enterprise can hope to attain. They also have an active red team/blue team testing the system on a continuous basis which even some major enterprises can't afford to maintain on an ongoing basis.  That is what you are paying for.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
pma111Author Commented:
I thought you could perhaps as the client still manage access control lists for 365 mailboxes internally, i.e. shared/group mailboxes? Surely there are a few "configurations" within the clients control, i.e. mailbox size, attachment size policy, use of protective marking, default/mandatory email signatures etc. Surely there must be some areas they can review... ?
0
 
David Johnson, CD, MVPOwnerCommented:
sure you can administer shared/group mailboxes. login to the admin center/exchange
Exchange admin center
0
 
pma111Author Commented:
is it possible to export configurations set in the exchange admin centre?
0
All Courses

From novice to tech pro — start learning today.