Our external risk team want to review our organisations email systems. At present it is half "on-premise" and half in the cloud via outlook/exchange365. The on premise is v2013 of Exchange.
What realistically should/could they look at in relation to the cloud email infrastructure (i.e. exchange365)? Are there any tools/scripts/best practice guides for such setups?
For the on-premise you can look at stuff like security configuration of the servers, mailbox DB backup policies, mailbox security access controls, etc etc