Microsoft Exchange Server 2010 Audit/Assurance Program

Microsoft® Exchange Server 2010
Audit/Assurance Program
Microsoft® Exchange Server 2010 Audit/Assurance Program
ISACA®
With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge,
certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise
governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent
ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and
control standards, which help its constituents ensure trust in, and value from, information systems. It also advances
and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor ® (CISA®),
Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and
Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT ®,
which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities,
particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Disclaimer
ISACA has designed and created Microsoft® Exchange Server Audit/Assurance Program (the “Work”) primarily as
an informational resource for audit and assurance professionals. ISACA makes no claim that use of any of the Work
will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures
and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same
results. In determining the propriety of any specific information, procedure or test, audit and assurance professionals
should apply their own professional judgment to the specific circumstances presented by the particular systems or IT
environment.
Reservation of Rights
© 2011 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use and
consulting/advisory engagements and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: info@isaca.org
Web site: www.isaca.org
ISBN 978-1-60420-190-1
Microsoft® Exchange Server Audit/Assurance Program
CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout
the world.
Microsoft® Exchange Server Audit/Assurance Program is an independent publication and is not affiliated with, nor
has it been authorized, sponsored or otherwise approved by, Microsoft Corporation.
©2011 ISACA. All rights reserved. Page 2

ISACA wishes to recognize:

Author
Norm Kelson, CISA, CGEIT, CPA, CPE Interactive Inc., USA
Expert Reviewers
Milthon J. Chavez, Ph.D., CISA, CISM, CGEIT, CRISC, ISO27000LA, MCH Consulting, Venezuela
Kerrie Douglas, CISA, CGEIT, DaVita, USA
Michael Jones, CISA, Bank of Montreal, Canada
William C. Lisse, Jr., CISA, CGEIT, CISSP, G7799, PMP, OCLC Inc., USA
John Tannahill, CISM, CGEIT, CRISC, CA, J. Tannahill & Associates, Canada
ISACA Board of Directors

Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, International President
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Vice President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Vice President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Vice President
Niraj Kapasi, CISA, Kapasi Bangad Tech Consulting Pvt. Ltd., India, Vice President
Jeff Spivey, CRISC, CPP, PSP, Security Risk Management, Inc., USA, Vice President
Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, RSM Bird Cameron, Australia, Vice President
Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, Past International President
Lynn C. Lawton, CISA, CRISC, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International
President
Allan Neville Boardman, CISA, CISM, CGEIT, CRISC, CA (SA), CISSP, Morgan Stanley, UK, Director
Marc Vael, Ph.D., CISA, CISM, CGEIT, CISSP, Valuendo, Belgium, Director
Knowledge Board
Marc. Vael, Ph.D., CISA, CISM, CGEIT, CISSP, Valuendo, Belgium, Chairman
Michael A. Berardi Jr., CISA, CGEIT, Nestle USA, USA
John Ho Chi, CISA, CISM, CRISC, CBCP, CFE, Ernst & Young LLP, Singapore
Phil Lageschulte, CGEIT, CPA, KPMG LLP, USA
Jon Singleton, CISA, FCA, Auditor General of Manitoba (retired), Canada
Patrick Stachtchenko, CISA, CGEIT, Stachtchenko & Associates SAS, France
Guidance and Practices Committee

Phil Lageschulte, CGEIT, CPA, KPMG LLP, USA, Chairman
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, 6 Sigma, Quest Software, Spain
Meenu Gupta, CISA, CISM, CBP, CIPP, CISSP, Mittal Technologies, USA
Yongdeok Kim, CISA, IBM Korea Inc., Korea
Perry Menezes, CISM, CRISC, Deutsche Bank, USA
Mario Micallef, CGEIT, CPAA, FIA, Advisory in GRC, Malta
Salomon Rico, CISA, CISM, CGEIT, Deloitte Mexico, Mexico
Nikolaos Zacharopoulos, CISA, CISSP, Geniki Bank, Greece
ISACA and IT Governance Institute® Affiliates and Sponsors

American Institute of Certified Public Accountants
ASIS International
The Center for Internet Security
Commonwealth Association for Corporate Governance Inc.
FIDA Inform
Information Security Forum
Information Systems Security Association
Institute of Management Accountants Inc.
ISACA chapters
ITGI France

ITGI Japan
Norwich University
Solvay Brussels School of Economics and Management
Strategic Technology Management Institute (STMI) of the National University of Singapore
University of Antwerp Management School
ASI System Integration
Hewlett-Packard
IBM
SOAProjects Inc
Symantec Corp.
TruArx Inc.
Table of Contents
I. Introduction.......................................................................................................................................4
II. Using This Document........................................................................................................................5
III. Assurance and Control Framework....................................................................................................8
IV. Executive Summary of Audit/Assurance Focus.................................................................................9
V. Audit/Assurance Program................................................................................................................14
1. Planning and Scoping the Audit...................................................................................................14
2. Preparatory Steps.........................................................................................................................16
3. Governance..................................................................................................................................18
4. Server Configuration....................................................................................................................25
5. Network.......................................................................................................................................34
6. Contingency Planning..................................................................................................................34
VI. Maturity Assessment.......................................................................................................................38
VII. Maturity Assessment vs. Target Assessment...................................................................................43
Appendix I. Exchange Server 2010—Server Roles...................................................................................44
Appendix II. Exchange Server 2010 Transport Pipeline—Schematic........................................................45
Appendix III. Specimen Exchange Server Management Role Hierarchy...................................................46
I. Introduction
Overview
ISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good-practice-
setting model. ITAF provides standards that are designed to be mandatory and are the guiding principles
under which the IT audit and assurance profession operates. The guidelines provide information and
direction for the practice of IT audit and assurance. The tools and techniques provide methodologies,
tools and templates to provide direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a roadmap for the completion of a
specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use
by IT audit and assurance professionals with the requisite knowledge of the subject matter under review,
as described in ITAF section 2200—General Standards. The audit/assurance programs are part of ITAF
section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT framework—
specifically COBIT4.1—using generally applicable and accepted good practices. They reflect ITAF
sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT

Audit and Assurance Management.

Many organizations have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. Enterprises seek to integrate control framework elements used by
the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used,
it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename
these columns to align with the enterprise’s control framework.
IT Governance, Risk and Control

IT governance, risk and control are critical in the performance of any assurance management process.
Governance of the process under review will be evaluated as part of the policies and management
oversight controls. Risk plays an important role in evaluating what to audit and how management
approaches and manages risk. Both issues will be evaluated as steps in the audit/assurance program.
Controls are the primary evaluation point in the process. The audit/assurance program will identify the
control objectives and the steps to determine control design and effectiveness.
Responsibilities of IT Audit and Assurance Professionals

IT audit and assurance professionals are expected to customize this document to the environment in
which they are performing an assurance process. This document is to be used as a review tool and starting
point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or
questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter
expertise required to conduct the work and is supervised by a professional with the Certified Information
Systems Auditor(CISA) designation and/or necessary subject matter expertise to adequately review the
work performed.
II. Using This Document

This audit/assurance program was developed to assist the audit and assurance professional in designing
and executing a review. Details regarding the format and use of the document follow.
Work Program Steps

The first column of the program describes the steps to be performed. The numbering scheme used
provides built-in work paper numbering for ease of cross-reference to the specific work paper for that
section. The physical document was designed in Microsoft ® Word. The IT audit and assurance
professional is encouraged to make modifications to this document to reflect the specific environment
under review.
Step 1 is part of the fact-gathering and prefieldwork preparation. Because the prefieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first level steps, e.g.,
1.1, are shown in bold type and provide the reviewer with a scope or high-level explanation of the
purpose for the substeps.
Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the
program, the audit/assurance objective—the reason for performing the steps in the topic area—is
described. The specific controls follow. Each review step is listed below the control. These steps may
include assessing the control design by walking through a process, interviewing, observing or otherwise
verifying the process and the controls that address that process. In many cases, once the control design
has been verified, specific tests need to be performed to provide assurance that the process associated

with the control is being followed.
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-up—those processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing, and report clearing—has been
excluded from this document since it is standard for the audit/assurance function and should be identified
elsewhere in the enterprise’s standards.
COBIT Cross-reference
The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the
specific COBIT control objective that supports the audit/assurance step. The COBIT control objective
should be identified for each audit/assurance step in the section. Multiple cross-references are not
uncommon. Processes at lower levels in the work program are too granular to be cross-referenced to
COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a
structure parallel to the development process. COBIT provides in-depth control objectives and suggested
control practices at each level. As professionals review each control, they should refer to COBIT4.1 or the
IT Assurance Guide: Using COBIT for good-practice control guidance.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit and assurance professionals. This ties the assurance work to the enterprise’s control framework.
While the IT audit/assurance function uses COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit/assurance with
the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control
components within their report and summarize assurance activities to the audit committee of the board of
directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible, but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO was revised
as the Enterprise Risk Management (ERM) Integrated Framework and extended to eight components. The
primary difference between the two frameworks is the additional focus on ERM and integration into the
business decision model. ERM is in the process of being adopted by large enterprises. The two
frameworks are compared in figure 1.
Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control Framework ERM Integrated Framework
Control Environment: The control environment sets the tone of an Internal Environment: The internal environment encompasses the
organization, influencing the control consciousness of its people. It is tone of an organization, and sets the basis for how risk is viewed and
the foundation for all other components of internal control, providing addressed by an entity’s people, including risk management
discipline and structure. Control environment factors include the philosophy and risk appetite, integrity and ethical values, and the
integrity, ethical values, management’s operating style, delegation of environment in which they operate.
authority systems, as well as the processes for managing and
developing people in the organization.
Objective Setting: Objectives must exist before management can

identify potential events affecting their achievement. Enterprise risk
management ensures that management has in place a process to set
objectives and that the chosen objectives support and align with the
entity’s mission and are consistent with its risk appetite.

Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control Framework ERM Integrated Framework
Event Identification: Internal and external events affecting
achievement of an entity’s objectives must be identified,
distinguishing between risks and opportunities. Opportunities are
channeled back to management’s strategy or objective-setting
processes.
Risk Assessment: Every entity faces a variety of risks from external Risk Assessment: Risks are analyzed, considering the likelihood and
and internal sources that must be assessed. A precondition to risk impact, as a basis for determining how they could be managed. Risk
assessment is establishment of objectives, and, thus, risk assessment is areas are assessed on an inherent and residual basis.
the identification and analysis of relevant risks to achievement of
assigned objectives. Risk assessment is a prerequisite for determining
how the risks should be managed.
Risk Response: Management selects risk responses—avoiding,
accepting, reducing or sharing risk—developing a set of actions to
align risks with the entity’s risk tolerances and risk appetite.
Control Activities: Control activities are the policies and procedures Control Activities: Policies and procedures are established and
that help ensure management directives are carried out. They help implemented to help ensure the risk responses are effectively carried
ensure that necessary actions are taken to address risks to achievement out.
of the entity's objectives. Control activities occur throughout the
organization, at all levels and in all functions. They include a range of
activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets
and segregation of duties.
Information and Communication: Information systems play a key Information and Communication: Relevant information is
role in internal control systems as they produce reports, including identified, captured and communicated in a form and timeframe that
operational, financial and compliance-related information that make it enable people to carry out their responsibilities. Effective
possible to run and control the business. In a broader sense, effective communication also occurs in a broader sense, flowing down, across
communication must ensure information flows down, across and up and up the entity.
the organization. Effective communication should also be ensured with
external parties, such as customers, suppliers, regulators and
shareholders.
Monitoring: Internal control systems need to be monitored—a process Monitoring: The entirety of enterprise risk management is monitored
that assesses the quality of the system’s performance over time. This is and modifications are made as necessary. Monitoring is accomplished
accomplished through ongoing monitoring activities or separate through ongoing management activities, separate evaluations or both.
evaluations. Internal control deficiencies detected through these
monitoring activities should be reported upstream and corrective
actions should be taken to ensure continuous improvement of the
system.
Information for figure 1 was obtained from the COSO web site, www.coso.org/aboutus.htm.
The original COSO internal control framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for these
audit/assurance programs. As more enterprises implement the ERM model, the additional three columns
can be added, if relevant. When completing the COSO component columns, consider the definitions of
the components as described in figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper for each line item,
which describes the work performed, issues identified and conclusions. The reference/hyperlink is to be
used to cross-reference the audit/assurance step to the work paper that supports it. The numbering system
of this document provides a ready numbering scheme for the work papers. If desired, a link to the work
paper can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).

Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a work paper describing the work performed.
III. Assurance and Control Framework
ISACA IT Assurance Framework and Standards

The ITAF section relevant to Exchange Server 2010 is 3630 General Controls and 3650 Auditing
Applications.
ISACA Controls Framework

COBIT is a framework for the governance of IT and supporting tool set that allows managers to bridge
the gap among control requirements, technical issues and business risk. COBIT enables clear policy
development and good practice for IT control throughout enterprises.
As described in the following Executive Summary section, Exchange Server 2010 is an architecture that
supports and drives business processes.
The primary COBIT processes associated with an implementation of Exchange Server 2010 are as
follows:
 PO2 Define the information architecture—Defined data classification scheme used to establish
content security requirements
 PO6 Communicate management aims and direction—Once governance and policies are established
communicating same to the users
 AI1 Identify automated solutions—Business requirements necessary to define and implement business
processes
 AI3 Acquire and maintain technology infrastructure—Technology architecture required to support
the Exchange Server 2010 environment and ensure alignment with the enterprise architecture
 DS5 Ensure systems security—Security configuration and processes required to secure the Exchange
Server 2010 contents
 DS9 Manage the configuration—Configuration settings of the various servers which support the
infrastructure of Exchange Server 2010
 DS11 Manage data—Data management classification, storage, and retention
 ME2 Monitor and evaluate internal control—The decentralized nature of Exchange Server 2010
installations requires the monitoring of internal control as a part of the management structure
 ME3 Ensure compliance with external requirements—Compliance with regulatory and legal entities
associated with the Exchange Server 2010 content
 ME4 Provide IT governance—Decentralized Exchange Server 2010 environments managed by users
require policies and processes to assure adherence to internal controls, effective and efficient data
management, and accompanying management oversight
Refer to ISACA’s COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT
Governance, 2nd Edition, published in 2007, for the related control practice value and risk drivers.

IV. Executive Summary of Audit/Assurance Focus
Exchange Server 2010

Exchange Server 2010 is a primary Microsoft product which underpins the mission critical e-mail
architecture in many, if not most, enterprises. Exchange Server 2010 is the latest version of a product that
has been available in various versions since 1996. As such, it is a complex piece of software, comprising
over 20 million lines of code and now supports over 300 million1 e-mail boxes. Given the ubiquitous
nature of e-mail, Exchange Server 2010 is a mission-critical component in every enterprise’s architecture.
Its user community ranges from small businesses with one or two servers to the world’s largest
enterprises, which support tens or hundreds thousands of mailboxes.
As is well known, e-mail is a primary target for malware and attacks. E-mail is both a favored vector for
propagating malware and a major resource-sapping nuisance in its own right (e.g., spam). Therefore,
Exchange Server security and control are fundamental to overall enterprise security.
Microsoft stresses three areas in their development of Exchange Server 2010:

 Easier deployment, higher availability, and simpler administration; primarily through the Store and
also the Client Access Server (CAS) feature, which improves availability through data replication and
severing the connection among databases and servers
 Improved communications by supporting much larger mailboxes—up to 10GB; new functionality in
Outlook Web App (previously called Outlook Web Access or OWA) and mobile clients
 Improved visibility and control with protected communications; functionality for archiving and
compliance with legal e-discovery; better reporting and management alerts
Security has been a major focus of Exchange Server 2010 and it includes the following security features:
 Role-based Access Control (RBAC)—Allows for more granular management of permissions
assigned to different stakeholders, e.g., recipient administrators, server administrators, records and
discovery managers, and organization administrators.
 High availability (HA)
 Throttling Policies—Throttling mechanisms on Mailbox, Client Access and Transport help to
protect against and reduce the impact of denial of service (DoS) attacks.
 Federated Delegation—Allows users to collaborate securely with users in external organizations.
This includes cross-forest collaboration, without the need to set up and manage Active Directory trust
relationships.
 Information Rights Management—Enables protection (encryption) of sensitive message content at
multiple levels, while maintaining the enterprise’s ability to decrypt, search and apply messaging
policies to protected content.
 No Security Configuration Wizard—Configuration changes are made via Setup, to install and
enable only those services required for a particular Exchange Server role and to limit communication
to only those ports required for the services and processes running on each server role. This removes
the need for tools such as the Security Configuration Wizard (SCW) to configure these settings.
In addition, Microsoft now provides Forefront Protection for Exchange Server (FPE), a comprehensive,
multiserver mechanism for protection against the dual threats of malware and spam, including:
 Signature redistribution—Deploys antivirus signature updates to the servers.
 Policy (configuration) deployment—Deploys a centralized set of configuration settings to one or
more FPE or Forefront Protection for SharePoint (FPSP) servers.
1
The Radicati Group, Microsoft Exchange Server and Outlook Market Analysis, 2010-2014, USA, 2010

 Patch deployment—Distributes rollups and service packs.

 Centralized incident reporting—Reports on the number of malware incidents and filter matches
over a period of time on one or more managed servers.
 Centralized spam reporting—The Spam Detection report presents data about the number of blocked
spam messages.
 Centralized engine versions reporting—The Engine and Definition Versions report presents data
about the antivirus engine versions and definitions on selected servers, comparing current engine
versions of the managed servers to determine which, if any, of the signatures are out of date.
 Quarantine management—Administrators can retrieve quarantine data from FPE servers for local
analysis and management.
 Auto discovery of servers—FPE automatically detects new FPE and FPSP servers that have been
added to your network.
 Exchange Clusters—FPE supports clustered Exchange servers.
Exchange Server 2010 is a significant upgrade to prior versions, especially in the areas of security and
controls. Therefore, this document focuses on this latest (2010) version. Currently, Exchange Server 2010
is available in two server editions:
 Standard Edition—Designed for the messaging and collaboration needs of small and medium
corporations, or for specific server roles or branch offices; supports up to 5 databases
 Enterprise Edition—Designed for large enterprises; supports up to 100 databases
This audit/assurance program focuses on the superset of the Enterprise Edition; audit/assurance staff
should make appropriate changes when assessing the Standard Edition.
Business Impact and Risk

Exchange Server 2010 has the primary focus of storing and administering all aspects of electronic mail.
As such, it is critical to the mission of virtually every enterprise: large or small, private or public sector,
for-profit or not-for-profit. As such, most businesses have significant dependence on Exchange Server
2010, which has direct or indirect impact on:
 Communications, within the enterprise and with the external world
 Business operations
 Customer relations
 Help desk and technical support
 Contractual issues
 Legal and compliance issues, especially the e-discovery process
Corporate e-mails (and, therefore, the supporting Exchange Server 2010 infrastructure) may contain any
kind of business-critical information, including, but not limited to:
 Intellectual property, e.g., patents, copyrighted material
 Sensitive corporate material, e.g., board of directors report distribution and repository, financial data,
marketing and strategic planning data, personnel information, current sales and marketing data
 Enterprise or department procedures and policies
 Communications with third parties, e.g., customers, federal authorities, external legal counsel, joint
venture partners, stockholders, Wall Street, external auditors
 Internal audit work papers
 Issue monitoring
 Internal control documentation and testing
Failure to design and manage effective Exchange Server 2010 controls could result in:

 Destruction or loss of enterprise data in e-mails

 Disclosure of sensitive information sent unencrypted across public networks
 Disclosure of sensitive information or related bad publicity, leading to reputational risk and loss of
confidence by stakeholders, business partners, investors and customers
 Fines and penalties, due to noncompliance or use of corporate e-mail for undesirable activities such as
harassment, undesirable content or industrial espionage
 Lost productivity due to unavailability of e-mail
 Security breaches due to e-mail-borne malware
 Lawsuits by aggrieved third parties if hackers succeed in using compromised e-mail servers to attack
other sites (e.g., so-called botnets)
 Loss of processing capabilities due to excessive spam and other commercial junk mail
 Damage to sender’s reputation, if business or production e-mail were to be blacklisted or blocked by
recipients’ spam filters
 Exchange host compromised and used to originate spam or “phishing” attacks on third-party e-mail
domains or e-mail recipients
Objective and Scope

Exchange Server 2010 comprises a series of cooperating processes that communicate with one another on
local and remote computers, as well as with domain controllers and a number of different clients. Internet
Information Server (IIS) is integral to Exchange Server 2010’s functionality. This series of complex
relationships means that locking down and auditing Exchange Server 2010 requires consideration of
several different components, including the security and controls of:
 Services
 Files
 IIS
 Registry entries
 Underlying Windows Server operating system
 Domain controllers
 Active Directory
 Exchange Server databases
 Exchange Server transport mechanism
 Enterprise applications that use e-mail to communicate with customers or investors
 Firewalls, intrusion detection/prevention devices, etc.
 Other components; e.g., Blackberry Enterprise Server is commonly integrated with this environment
The above list is not intended to intimidate the audit/assurance professional, but rather to indicate that
security and control of Exchange Server 2010 depend on the larger control structure in place in the
enterprise. The audit of Exchange Server 2010 needs to take account of this integration with other parts of
the corporate IT architecture.
This means, that in addition to technical aspects of Exchange Server 2010, the audit/assurance
professional must focus on the governance, policies and monitoring/oversight functions associated with
its deployment and management.
During the audit planning process, the auditor must determine the scope of the audit. Depending on the
specific implementation, this may include:
 Evaluation of governance, policies and oversight relating to Exchange Server 2010
 Data classification policies and management

 The relevant Exchange Server 2010 business case, deployment or upgrade, strategy, and
implementation controls
 Technical architecture, including interfaces with existing applications, security systems and
technology
 Assessments of IT architecture to support Exchange Server 2010, e.g., IIS web servers, application
servers, database servers, antivirus servers, intrusion detection/prevention servers, FPE servers
 Baseline configurations of specific hardware/software implementation
 Issues related to decentralized Exchange Server 2010 servers or server farms, where appropriate
 Issues related to failover clustering, where appropriate
 Security standards and security configuration baselines
 Consider reviewing external reference sources such as Microsoft Exchange Server 2010 Security
Guide and Center for Internet Security Exchange 2007 Benchmark. (See the list below for the
relevant URLs.)
Minimum Audit Skills

Exchange Server 2010 is a complex set of architectures, requiring technical expertise and understanding,
as well as the ability to evaluate the content vulnerabilities. The audit and assurance professional should
have the requisite knowledge of Exchange Server 2010’s architecture, risk and controls.
The audit/assurance professional should be familiar with Exchange Server 2010’s primary management
tools:
 Exchange Management Console (EMC)—The main graphical console for configuring, managing
and viewing an operational Exchange Server 2010
 Exchange Control Panel (ECP)
 Exchange Management Shell (EMS)
It may also be useful to have—or to develop—proficiency with Windows PowerShell cmdlets or

Exchange Server 2010’s full scripting language. These can be useful for audit tasks, such as to retrieve
information from Exchange Server 2010 objects. Examples of cmdlets uses are: (a) to produce
independent documentation of specific Exchange Server 2010 features, or (b) to identify users whose
passwords do not expire.
The audit and assurance professional is cautioned not to attempt to conduct an audit/assurance review of
Exchange Server 2010 utilizing this program as a checklist. Prior to commencing an audit of Exchange
Server 2010, the auditor might consider reviewing the following resources:
 Jagott, Siegfried; Joel Stidley; MS Exchange Server team; Microsoft Exchange Server 2010: Best
Practices, Microsoft Press, USA, 2010
 Redmond, Tony; Microsoft Exchange Server 2010: Inside Out, Microsoft Press, USA, 2010
 Diogenes, Yuri; Thomas W. Shinder; Deploying Microsoft Forefront Protection 2010 for Exchange
Server, Microsoft Press, USA, 2010
 Microsoft Press, Security Operations for Exchange Server: Patterns & Practices, USA, 2002
 Microsoft Forefront Protection Server Script Kit; useful PowerShell scripts free download from
www.microsoft.com/download/en/details.aspx?id=20233
The following resources provide useful guidance on some of the technical and configuration aspects of an
Exchange Server 2010 environment:
 Exchange Server 2010 Security Guide, http://technet.microsoft.com/en-us/library/bb691338.aspx
 Exchange Server 2010 Deployment Assistant, http://technet.microsoft.com/en-
us/exdeploy2010/default.aspx#Index

 Planning for Edge Transport Servers, http://technet.microsoft.com/en-us/library/aa996562.aspx

 Understanding [Exchange Server 2010’s] Management Roles, http://technet.microsoft.com/en-
us/library/dd298116.aspx
 Planning for High Availability and Site Resilience, http://technet.microsoft.com/en-
us/library/dd638104.aspx
 Center for Internet Security Exchange 2007 Benchmark,
http://benchmarks.cisecurity.org/tools2/exchange/CIS_Benchmark_Exchange2007_1.0.pdf (This
publication is available only for Exchange 2003 and 2007, but the 2007 version is still useful.)


V. Audit/Assurance Program
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
1. PLANNING AND SCOPING THE AUDIT
1.1 Define the audit/assurance objectives. The audit/assurance objectives are high level
and describe the overall audit goals.
1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance
program.
1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe,
annual plan and charter.
1.2 Define audit assignment success. The success factors need to be identified.
Communication among the IT audit/assurance team, other assurance teams and the
enterprise is essential.
1.2.1 Identify the drivers for a successful review. (This should exist in the assurance
function’s standards and procedures.)
1.2.2 Communicate success attributes to the process owner or stakeholder, and obtain
agreement.
1.3 Define the boundaries of the review. The review must have a defined scope.
Understand the functions and application requirements for the Exchange Server
2010 sites within scope.
1.3.1 Obtain a list of Exchange Server 2010 sites, farms, and servers.
1.3.2 Determine the content of Exchange Server 2010 sites to be considered for review.
1.3.3 Determine if a data classification analysis has been performed for the Exchange
Server 2010 sites.
1.3.4 Identify the criteria for selecting Exchange Server 2010 sites for inclusion in the

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
current audit/review.
1.3.5 Identify and review associated policies concerning e-mail, such as remote access,
acceptable usage and use of webmail.
1.4 Identify and document audit risk. The risk assessment is necessary to evaluate
where audit resources should be focused. In most enterprises, audit resources are
not available for all processes. The risk-based approach assures utilization of audit PO9.2
resources in the most effective manner.
1.4.1 Identify the business risk associated with the Exchange Server 2010 sites under
consideration for audit/review.
1.4.2 Based on the risk assessment, evaluate the overall audit risk factor for performing
the audit/review.
1.4.3 Based on the risk assessment, identify changes to the scope.
1.4.4 Discuss the risk with IT management, and adjust the risk assessment.
1.4.5 Based on the risk assessment, revise the scope.
1.5 Define the audit change process. The initial audit approach is based on the
reviewer’s understanding of the operating environment and associated risk. As
further research and analysis are performed, changes to the scope and approach AI6.1
may result.
1.5.1 Identify the senior IT assurance resource responsible for the review.
1.5.2 Establish the process for suggesting and implementing changes to the
audit/assurance program and the authorizations required.
1.6 Define the audit/assurance resources required. The resources required are defined
in the introduction to this audit/assurance program.
1.6.1 Determine the audit/assurance skills necessary for the review.

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
1.6.2 Estimate the total audit/assurance resources (hours) and time frame (start and end
dates) required for the review.
1.7 Define deliverables. The deliverables are not limited to the final report.
Communication between the audit/assurance teams and the process owner is
essential to assignment success.
1.7.1 Determine the interim deliverables, including initial findings, status reports, draft
reports, due dates for responses or meetings, and the final report.
1.8 Communicate. The audit/assurance process must be clearly communicated to the
customer/client.
1.8.1 Conduct an opening conference to discuss:
 Objectives with the stakeholders
 Documents and information security resources required to perform the review ·
 Scope, and any scope limitations (audit boundaries)
 Budgets
 Due dates
 Time lines
 Milestones
 Deliverables
2. PREPARATORY STEPS
2.1 Obtain and review the current organizational charts relating to Exchange Server
2010.
2.1.1 Obtain the organization chart for the IT infrastructure.
2.1.2 Obtain the organization chart for the Exchange Server 2010 administration (if
different from or not included with 2.1.2).

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
2.2 Obtain the job descriptions of personnel responsible for the IT infrastructure and
Exchange Server 2010 administration.
2.3 Determine if audits of Exchange Server 2010, Windows Server, IIS, Active
Directory and SQL Server have been performed previously.
2.3.1 If these audits have been performed, obtain the work papers for the previous audits.
2.3.1.1 Review the security configuration, and determine if identified issues have
been corrected.
2.3.1.2 Determine if the specific servers under consideration for inclusion in the
scope of this audit have been included in the review.
2.4 Select the Exchange Server 2010 sites, farms and servers to be included in the
audit/review.
2.4.1 Based on the prioritized list of Exchange Server 2010 sites, select the farms and
supporting servers to be included in the review. Be sure that there is a representative
sample of any Exchange Server 2010 sites determined to be high-risk.
2.4.2 Select one or more servers from each of the five server roles: Mailbox, Client
Access Server, Hub Transport, Edge Transport and Unified Messaging (as
appropriate).
2.4.3 Select one or more servers from failover clusters.
2.5 Document the Configuration
2.5.1 Use Exchange Management Console (EMC) to determine:
 Organization configuration – applies organization-wide to all Exchange servers
 Server configuration – details of specific servers, i.e., chosen for audit/review
 Service Pack level installed – compare to latest service pack at
www.microsoft.com/exchange/
COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
 Number and locations of all mounted Mailbox databases
 Installed Exchange Server roles, i.e., Client Access Server, Mailbox Server,
Edge Transport Server, Hub Transport Server, Unified Messaging server (see
schematic diagram in VIII. Exchange Server 2010 – server roles)
 Database Availability Groups – these groups drive database replication,
failover and recovery
 Installed X.509 Digital Certificates – these drive e-mail encryption as well as
secure Federated Sharing with third parties (if Federation is deployed)
 Outlook Anywhere – allows remote users (e.g., teleworkers or mobile devices)
to access e-mail boxes securely over Secure Hypertext Transfer Protocol
(HTTPS)
2.5.2 If necessary, run the Get-ExchangeServer cmdlet in Exchange Management Shell
(EMS) to display a list of installed Exchange Server 2010 server roles on the
specified server.
See http://technet.microsoft.com/en-us/library/bb123873.aspx for details of this cmdlet.
2.5.3 Ensure that the edge Transport Server does not share hardware with any other
Exchange Server 2010 server role (even running in separate virtual machines in a
virtualized environment is discouraged).
2.5.4 If this is a recent deployment of Exchange Server 2010, request the relevant Setup
Log created during the installation and review for any unresolved warning or error
messages. The Setup Log is located at
<system drive>\ExchangeSetupLogs\ExchangeSetup.log (where <system
drive>is the root directory of the drive where the OS is installed.)

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
3. GOVERNANCE
3.1 Business Case
Audit/Assurance Objective: The initial Exchange Server 2010 infrastructure and Exchange
Server 2010 sites are supported by a documented business case describing the return on
investment and other benefits.
4. Exchange Server 2010 Infrastructure Business Case PO1.2
Control: A business case to support the development of the Exchange Server 2010 PO2.1
Infrastructure is fully documented and describes the benefits to be realized from an X X X X
AI1.3
Exchange Server 2010 environment. AI3.1
4.1.1.1 Obtain the business case for the initial development of the Exchange Server
2010 infrastructure.
4.1.1.2 Determine if the business case describes the benefits to be realized from an
Exchange Server 2010 infrastructure and is appropriately authorized.
5. Exchange Server 2010 Site Business Case Requirements PO1.2
Control: A business case to support the deployment of anExchange Server 2010 site or PO2.1
server farm is fully documented and describes the benefits to be realized therefrom. AI1.3 X X X
AI3.1
DS11.1
5.1.1.1 Select a sample of Exchange Server 2010 sites and farms within the audit
scope. 5.1.1.1.1
5.1.1.1.2
5.1.1.1.3
5.1.1.1.4
5.1.1.1.5
5.1.1.2 For each selected Exchange Server 2010 site, determine if the enterprise
systems development policy would require a business case for deploying or

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
upgrading to Exchange Server 2010.
5.1.1.3 If a business case is required, determine that a business case exists, describes
the benefits to be realized from the Exchange Server 2010 site, and is
appropriately authorized.
5.2 Exchange Server 2010 Policies
6. Guiding Principles
Audit/Assurance Objective: Exchange Server 2010 new deploymentsor upgrades (from
earlier versions of MS Exchange Server) adhere to enterprise objectives and
guiding principles.
Exchange Server 2010 Guiding Principles Document PO1.4
Control: A guiding principles document has been established and addresses key PO6
Exchange Server 2010 deployment, upgrade and operations issues. AI1.1 X X
AI1.4
ME4
7.1.1.1.1 Determine if a guiding principles or similarly named document exists
which outlines the specific deployment objectives.
7.1.1.1.1.1 Governance Documentation
7.1.1.1.1.1.1 Determine that the guiding principles address
enterprise general policies relating to privacy,
copyright, records retention, confidentiality,
compliance and security.
7.1.1.1.1.2 Site Design

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
7.1.1.1.1.2.1 Determine if the guiding principles require
Exchange Server 2010 site design to:
 Use a consistent architecture
 Approve changes based on demonstrated
need
 Have a designated owner for each site or
farm
 Take cognizance of enterprise backup and
recovery policies and procedures
 Relevant compliance requirements: Federal,
State, local
8. Policies and Standards
Audit/Assurance Objective: Policies and standards adhere to enterprise policies and
standards
Exchange Server 2010 Policies and Standards
Control: Exchange Server 2010 policies are defined, documented and distributed to PO6.4
Exchange Server 2010 administrators, architects, application developers and X
PO6.5
relevant users.
9.1.1.1.1 Determine if an Exchange Server 2010 policies and standards
document exists.
9.1.1.1.2 Obtain the Exchange Server 2010 policies and standards document,
and review it for the following:
9.1.1.1.2.1 Policy Alignment and Review

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
9.1.1.1.2.1.1 Exchange Server 2010 policies and standards
align with corporate policies and standards.
are reviewed at least annually and updated as
required.
are formally approved by the CEO.
9.1.1.1.2.2 Content
9.1.1.1.2.2.1 Content is subject to review according to data
classification policies and computer use
policies.
9.1.1.1.2.2.2 Data is retained according to enterprise
retention policies, with provisions for a more
stringent policy based on data classification,
data content or user group (e.g., C-suite
executive e-mail).
9.1.1.1.2.3 Deployment Practices/Processes
9.1.1.1.2.3.1 Exchange Server 2010 deployments follow a
prescribed project framework, such as the
Microsoft Operations Framework (MOF)2 or
the IT Infrastructure Library (ITIL).3
9.1.1.1.2.3.2 If this is a recent or new deployment of
Exchange Server 2010 or a recent upgrade
from an earlier version of Exchanger Server,
documented industry-standard Good Practices
2
www.microsoft.com/MOF
3
www.itil-officialsite.com/AboutITIL/WhatisITIL.asp
COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
were followed, e.g., Microsoft Exchange
Server Deployment Assistant4.
9.1.1.1.2.3.3 The deployment process includes security and
control requirements, including antivirus/spam
strategy (use Exchange Server’s built-in
capability or hosted service), network security,
patching, compliance, e-discovery
9.1.1.1.2.3.4 Security requirements are defined according to
enterprise security policies, separation of
duties, approval policies, compliance, disaster
recovery, incident management, etc.
9.1.1.1.2.3.5 The deployment process includes appropriate
expected performance metrics to quantify
hardware needed, at present and in the future.
9.1.1.1.2.3.6 Exchange Server 2010 operations conducts
appropriate capacity planning and on-going
management to determine available and
expected processing capacity
9.1.1.1.2.3.7 Volume testing and load balancing for multiple
servers were conducted.
9.1.1.1.2.3.8 Disaster recovery planning was included.
9.1.1.1.2.3.9 Appropriate backup schedules have been
established.
9.1.1.1.2.3.10 Acceptable use policies are in place and have
been communicated to all users.
4
http://technet.microsoft.com/en-us/exdeploy2010/default.aspx#Index
COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
9.1.1.1.2.3.11 Encryption standards are in place (important
for compliance with regulations, such as
HIPAA and PCI.
9.1.1.1.2.4 Specific Site Policies
9.1.1.1.2.4.1 Specific sites may alter policies to require more
stringent security and design guidelines. More
relaxed policies not in compliance with data
classification standards and guidelines must be
approved by Information Security management
and the business data owner.
Gain documentary evidence of such approval(s), if
appropriate.
9.1.1.1.2.5 Audit Policies
9.1.1.1.2.5.1 Audit policies are aligned with enterprise audit
policies based on data classification.
9.1.1.1.2.5.2 Audit policies include monitoring of access to
Exchange Server sites, farms and server by:
 Site administrators
 Farm administrators
 Other privileged uses, e.g., data base
administrators
10. Roles and Responsibilities
Audit/Assurance Objective: Policies and standards address the roles and responsibilities
for implementing and maintaining Exchange Server 2010 sites including the
underlying technology stack that supports Exchange Server 2010.
Roles and Responsibilities Description PO4.6 X X

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
Control: An Exchange Server 2010 policies and roles document describes the specific
PO7
responsibilities of key job functions.
11.1.1.1.1 Determine if an Exchange Server 2010 roles and responsibilities
document exists.
11.1.1.1.2 If the document exists, evaluate the appropriateness of the
descriptions for the following roles:
 Executive Sponsor
 Governance Board or Steering Committee
 Technology Administrator
 Technology Support Team
 Content Manager / Metadata Steering Committee
 Exchange Server 2010 Deployment Consultant
 Network Architect
 Site Designer
 Site Owner
11.1.1.1.3 Review the roles against the following responsibilities to assure these
responsibilities are assigned to a job function and to specific
individual(s):
 Management of the technical infrastructure, including server,
networks, database management, mailbox management, etc.
 Management of the Exchange Server 2010 farms infrastructure
 Management of individual Exchange Server sites
 Site security
 Access controls, i.e., user provisioning
 Performance evaluation
 Business continuity and disaster recovery

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
11.2 Monitoring
12. Monitoring of Policies and Procedures

Audit/Assurance Objective: Exchange Server 2010 sites are subject to regular
monitoring and reporting, based on criticality and sensitivity of data, and adherence
to management oversight requirements.
Management Oversight of Exchange Server 2010 Deployments and Operations
Control: Exchange Server 2010 implementations follow the enterprise project PO10
X X
management system and, where practical, the systems development life cycle. ME1
13.1.1.1.1 Prepare a sample of recent Exchange Server 2010 deployments

(upgrades or new deployments).
13.1.1.1.2 Select high-risk or high-profile Exchange Server 2010
implementations.
13.1.1.1.3 Obtain project documentation.
13.1.1.1.4 Determine if the monitoring of the Exchange Server 2010 project
was/is in alignment with enterprise standards.
13.1.1.1.5 Determine if Exchange Server 2010 operations are monitored in a
manner consistent with other operational processes.
Issue Monitoring PO10
Control: Exchange Server 2010 implementation and operations are subject to issue DS8
monitoring and escalation to appropriate managers in the IT and business ME1 X X X X
units. ME2
ME4
14.1.1.1.1 Obtain issue monitoring reports.
14.1.1.1.2 Evaluate the issue monitoring function for effectiveness,

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
completeness, and appropriate and timely escalations.
15. SERVER CONFIGURATION
15.1 Virtualization
Audit/Assurance Objective: Exchange Server 2010 servers running in a virtualized
environment are fully segregated from other servers running on the same physical
hardware.
16. Virtualization Segregation PO2.1
Control: Exchange Server 2010 servers are segregated from other servers in the DS5.1 X
virtualization pool. DS9
16.1.1.1 Obtain the server virtualization specifications and architecture
documentation.
16.1.1.2 Determine that controls within the virtualization configuration assure
complete segregation of Exchange Server 2010 processes and access rights
from other environments.
16.1.1.3 If a virtualization audit has been performed, review the findings and issue
monitoring for identified control concerns and remediation plans.
16.1.1.4 If no recent virtualization audit has been performed and the Exchange Server
2010 servers operate in a virtualized environment, consider postponing the
Exchange Server 2010 audit until a virtualization audit can be performed.
Refer to the ISACA VMware Audit/Assurance Program, as needed.

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
16.2 Role-based Access Controls (RBAC)
Audit/Assurance Objective: Role-based Access Controls are deployed to control, at both the
broad and granular level, what administrators and end users are permitted to do in the DS1
Exchange Server 2010 environment and that the roles assigned to them align to their
actual roles within the organization.
17. Role Groups Are Used
Control: Role Groups are used to grant permissions to the various privileged roles. PO2.3
Exchange Server 2010 ships with an extensive list of management roles—all DS5.3 X
privileged positions should be provisioned according to their role groups. DS5.4
17.1.1.1 Obtain a copy of the most recent Exchange Server 2010 Management Role
hierarchy chart—see Appendix III of this document for an example.
17.1.1.2 Determine that the Management Role hierarchy chart includes all built-in
roles as well as all custom management roles. Obtain explanations for roles
with excessive privileges.
17.1.1.3 Retrieve a list of role assignments. Since this cannot be done with EMC, it
requires use of the Get-ManagementRoleAssignment cmdlet.
For details, see http://technet.microsoft.com/en-us/library/dd351024.aspx
Example: Get-ManagementRoleAssignment "Tier 1*"—retrieves a list of all the
role assignments beginning with the string "Tier 1".
17.1.1.4 Select a sample of Management Roles and view the details of their allocated
privileges, using the above Get-ManagementRoleAssignment cmdlet.
Example: Get-ManagementRoleAssignment "Help Desk Assignment" |
Format-List—retrieves the details of the Help Desk Assignment Role list.
17.1.1.5 Select a sample of role assignees and view their role assignments. Obtain
explanations for excessive or unusual privileges.

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
Example: Get-ManagementRoleAssignment -RoleAssignee "Server
Management"—to view the Server Management role group.
17.1.1.6 Select a sample of role assignments that have been scoped to a specific
organizational unit (OU) and retrieve a list of the corresponding role
assignments.
Example: Get-ManagementRoleAssignment
-RecipientOrganizationalUnitScope “OU”—where OU is the fully
qualified name of the required OU.
17.1.1.7 Select a sample of senior management or sensitive servers and retrieve a list
of role assignments that can modify the specific recipients or servers.
Example 1: Get-ManagementRoleAssignment -WritableRecipient "XXX"— to
retrieve a list of role assignments that can modify the recipient named XXX.
Example 2: Get-ManagementRoleAssignment -WritableServerSV02
-RoleAssignee "Server Management" –GetEffectiveUsers— to retrieve
all users who are assigned to the Server Management role group and who
can modify the server SV02.
17.1.1.8 Obtain a list of role assignments that are disabled and obtain explanations.
Example: Get-ManagementRoleAssignment -Enabled $False
17.1.1.9 View the default management role Assignment Policy, as follows:
Get-RoleAssignmentPolicy | Format-Table Name, IsDefault

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
17.2 Secure Communication
Audit/Assurance Objective: Communication among Exchange Server 2010 servers and with
users is securely encrypted, using industry-standard cryptography.
18. Application Servers Configured for Security DS5.11
Control: Database Availability Group (DAG) encryption is enabled for all databases. X
DS11.6
18.1.1.1 Use the Set-DatabaseAvailabilityGroup cmdlet to view the encryption
setting. This should be set to Enabled.
Format: Set-DatabaseAvailabilityGroup -NetworkEncryption
19. Mobile Device Policies Are in Place
Control: Appropriate policies are in place to control mobile devices and protect against PO2.3
X
data leakage from such devices. DS5.11
19.1.1.1 Obtain a copy of Mobile Device Policy and ensure it is current and has been
distributed to all affected users.
19.1.1.2 Ensure that the policy requires users who are permitted use of mobile
devices (smartphones, tablet computers, netbooks, etc.) to report the loss or
theft of such a device as soon as possible so the data on the device can be
remotely wiped.
19.1.1.3 Ensure that the policy requires users who are permitted use of mobile
devices to accept in writing that all data on mobile devices will be remotely
wiped immediately on termination of employment.
19.1.1.4 Ensure that the corporate acceptable use policy (for users of corporate
networks) specifically covers both e-mail and mobile device users.

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
19.2 Anti-spam and Antivirus
Audit/Assurance Objective: Proper anti-spam and antivirus technical controls are in place and
regularly updated and maintained.
20. Forefront Protection 2010 for Exchange (FPE) Server
Control: If Microsoft Forefront Protection 2010 for Exchange Server (FPE) is deployed, DS5.9
it is up to date for effective anti-spam and antivirus protection. FPE deployment is X
DS9
regarded as a good practice in an Exchange Server 2010 environment.
20.1.1.1 Obtain a copy of the FPE planning document and establish that proper
planning was done before deployment (incorrect or ineffective deployment
can have a significant negative effect on performance and, hence, user
productivity). Reference: http://technet.microsoft.com/en-
us/library/aa996562(EXCHG.140).aspx
20.1.1.2 Obtain evidence that Operations Management regularly uses FPE to review
the protection levels in place in the user community; i.e., metrics exist and
are regularly collected for proactive monitoring of e-mail users, namely:
 What percentage of users’ computers are/are not currently protected?
 Is antivirus software installed and turned on for all connected users?
 Do all users have the latest anti-malware definitions installed?
 What malware has been recently detected in the organization?
20.1.1.3 Use FPE’s Dashboard to review the above statistics under the Computer
Infection Status section. Obtain explanations for anomalies, such as
unusually high malware infection statistics, higher than normal numbers of
unprotected devices or devices for which protection could not be deployed,
etc.
20.1.1.4 Obtain evidence that Operations Management regularly monitors sites such
as Microsoft’s Malware Protection Center for the latest information on
malware. Reference: www.microsoft.com/security/portal/
20.1.1.5 Obtain evidence that Operations Management has assigned adequate

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
resources to monitor, repair and report malware infections into the Exchange
Server environment.
20.1.1.6 Obtain evidence that Operations Management provides regular statistical
summary reports to senior management on the status of protection in the
Exchange Server environment.
20.1.1.7 Obtain evidence that: (a) administrative privileges to FPE are role-based,
(b) a highly restricted number of employees have such privileges, (c) these
roles are regularly monitored, and (d) copies of passwords for the following
privileged accounts are kept in a secure location, accessible by a senior
individual in an emergency situation:
 FPE Full Administrator
 FPE Policy Author
 FPE Policy Deployment Manager
20.1.1.8 Establish that FPE policies are installed and operational. Policies include
frequency and time that users’ devices are scanned, which devices (if any)
are excluded, etc. Policies can be viewed in the
FPE Configuration Manager FPE Policies.
20.1.1.9 Establish that consistent FPE policies are deployed to all user devices.
Obtain explanations for any discrepancies, e.g., user groups excluded from
standard policy. View Policy Assignment in the
FPE Configuration Manager FPE Policies.
20.2 Messaging Compliance
Audit/Assurance Objective: Exchange Server 2010 is appropriately configured to comply with
relevant regulatory, legal, industry and corporate internal requirements.
21. Message Retention Is Appropriate for the Needs of the Enterprise
Control: Messages are retained for the appropriate duration to comply with the most DS11.2 X
restrictive requirement.
21.1.1.1 Verify that written corporate policy specifically and clearly defines the

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
retention period for all e-mail messages and that this time period equals or
exceeds that for the most restrictive compliance requirement for the
enterprise.
21.1.1.2 Verify that Exchange Server 2010 Operations Management is fully aware of
the message retention and electronic discovery policies.
21.1.1.3 Verify that the Exchange Server 2010 deployment or upgrade process
included Messaging Records Management (MRM).
21.1.1.4 Verify that the Exchange Server 2010 environment includes the use of
Retention Tags that are applied to all messages. Types of Retention Tags
include: Default Policy Tag (DPT), Retention Policy Tag (RPT) and
Personal Tag.
21.1.1.5 Use the Exchange Management Console (EMC) to view the deployed
Retention Tags. The number of retention tags should not be too large, else
tag maintenance—and hence compliance with retention policy—may be too
onerous or ineffective.
21.2 Journaling Is Appropriately Controlled
Audit/Assurance Objective: Journaling is used to record e-mail communications for archival
and e-discovery purposes. Since mailbox journals can contain sensitive data, access to
them should be tightly controlled and monitored.
22. Journaling Is Controlled and Monitored
Control: Access to mailbox journal storage is restricted to a small number of trusted ME1 X X X
administrators.
22.1.1.1 Obtain and review a list of all personnel with access to mailbox journals and
obtain explanations if the number of personnel with access seems excessive
for the organization.

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
22.2 Litigation Hold Is Enabled for Potential Legal E-discovery
Audit/Assurance Objective: The environment is cognizant of the need for, and techniques to
achieve, litigation hold on specified mailboxes in the case of legal e-discovery.
23. Policies Are in Place to Effect a Legal Hold DS5
Control: A legal hold policy is documented, up-to-date and conveyed to Exchange DS11 X X
Server 2010 Operations Management. ME1
23.1.1.1 Obtain a copy of the legal hold policy and determine whether it has been
communicated to, and understood by, Exchange Server 2010 Operations
Management.
23.1.1.2 By query and observation, determine whether Exchange Server 2010
Operations Management is able to perform Multi-Mailbox Searches (either
via the ECP or the EMS).
23.2 Auditing And Logging
Audit/Assurance Objective: Exchange Server 2010 is configured to log all use of Windows
PowerShell cmdlets. This facilitates tracking of administrator-level functions using
PowerShell.
24. PowerShell Auditing Is Enabled
Control: The Exchange Server 2010 audit mailbox feature is enabled and in use. This
feature logs all uses of PowerShell cmdlets which can be used to do specific DS9 X
administrator functions.
24.1.1.1 Determine if an auditing policy has been established to require logging of
the use of any PowerShell cmdlet.
24.1.1.2 If a policy exists, determine if it has been enabled for all Exchange Server
2010 sites.
24.1.1.3 Select a sample of Exchange Server 2010 sites and the defined auditing

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
mailbox(es). Confirm this via the EMC.
24.1.1.4 Run an audit mailbox report, using ECP, select a sample of entries from the
audit mailbox and obtain explanations for the use of cmdlets. Include cases
where the cmdlet was run after normal working hours, if any.
24.1.1.5 Determine if access to the auditing mailbox(es) is restricted and, if so, access
is permitted only to a small number of trusted individuals.
24.1.1.6 Determine whether the auditing mailbox(es) are routinely monitored so they
do not run out of disk space.
24.1.1.7 Determine whether Exchange Server Operations Management regularly runs
the Microsoft Exchange Best Practices Analyzer tool, which scans the
Exchange Server Environment and reports on overall “health” of Exchange
servers and topology.
Run Microsoft Exchange Best Practices Analyzer from the EMC and obtain
explanations for any variances.
24.1.1.8 Determine whether Exchange Server 2010 Operations Management
regularly runs the Microsoft Exchange Server User Monitor tool for real-time
analysis of current client usage patterns, both for capacity planning and to
identify users with excessive use patterns (which could indicate downloading
of the enterprise’s intellectual property).

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
24.2 Ethical Firewalls
Audit/Assurance Objective: E-mail systems are separated as needed to protect the
confidentiality of e-mails.
25. Ethical Firewalls
Control: An ethical firewall is in place to block e-mails between one part of the
enterprise and another. If this is appropriate to the enterprise being audited, X
Exchange Server 2010 is configured with appropriate rules to enforce such
requirements, if needed by the enterprise.
25.1.1.1 Determine whether the entity being audited has any restrictions on e-mail
communication among user department, companies or groups.
25.1.1.2 If such a restriction is required between entities (e.g., traders and analysts in
financial services, or contractors/employees and a competitor), determine
whether suitable rules have been deployed to enforce the ethical firewall.
26. NETWORK
26.1 Network Design
Audit/Assurance Objective: The network utilized by the Exchange Server 2010 environment is
protected from unauthorized access and intrusion opportunities are minimized.
27. Server Network Location
Control: Servers that host Exchange Server 2010 are located in a suitably protected DS5.12 X
subnet.5
27.1.1.1 Obtain a network schematic for the Exchange Server 2010 sites within the
audit scope.
5
For a simplified Exchange Server architecture, see Appendix II: Exchange Server 2010 – Server Roles.
COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
27.1.1.2 Determine if the Exchange Server 2010 network segments are adequately
secured, i.e., not directly accessible from the Internet, behind the appropriate
firewall(s), within the scope of deployed Intrusion Detection/Prevention
systems.
28. CONTINGENCY PLANNING
28.1 Contingency Planning
Audit/Assurance Objective: Essential Exchange Server 2010 services are included in the IT
contingency plan/business continuity plan (BCP).
29. Contingency Business Impact Analysis
Control: Exchange Server 2010 applications are included in the business unit’s business DS4 X
impact analysis (BIA).
29.1.1.1 Obtain the BIA for the business units operating Exchange Server 2010 sites.
29.1.1.2 Determine if the BIA considers the Exchange Server 2010 site in its
continuity analysis.
30. Contingency Plan for Exchange Server 2010 Applications
Control: Exchange Server 2010 applications are included in the contingency plan based DS4 X
on its risk profile.
30.1.1.1 Obtain the BIA.
30.1.1.2 Determine if the Exchange Server 2010 applications are rated as high-
priority for restoration.
30.1.1.3 Verify that the continuity plan includes interim processing and restoration
plans.

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
30.2 High Availability Audit/Assurance
Audit/Assurance Objective: The Exchange Server 2010 environment can deliver high-
availability—typically 99.99% uptime or better—to users, given the mission-critical
nature of e-mail communications.
31. Control: The Exchange Server 2010 upgrade or deployment included specific design goals for high- DS4
availability. X
PO2.1
31.1.1.1 Obtain the upgrade or deployment plans for a sample of Exchange Server
2010 sites.
31.1.1.2 Determine whether the plans specifically included design criteria to support
high-availability and that the level chosen (e.g., 99.99% uptime) is
appropriate to the business environment.
31.1.1.3 Obtain a copy of the high-availability architecture and determine whether
the Exchange Server 2010 Database Availability Group (DAG) design is
appropriate to provide rapid and automated failover and recovery of all the
Exchange Server 2010 databases.
31.1.1.4 Obtain and review a copy of the failover and recovery test plan to determine:
a) That it covers all databases in the defined DAG, and
b) That the plan is required to be tested regularly in full disaster simulation
mode.
31.1.1.5 Obtain and review a copy of the last Exchange Server 2010 failover and
recovery test. Determine whether the results of the test were analyzed and
reported to senior management and that appropriate remediation has been
completed of any shortcomings or weaknesses in the test results.
31.1.1.6 Obtain and review a copy of the high-availability architecture and establish
that failover copies of databases are not held on the same physical servers as

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
the original databases.
31.2 Backup and Recovery
Audit/Assurance Objective: The Exchange Server 2010 backup and recovery schedule is
appropriate to protect the enterprise’s investment in a reliable messaging service.
32. Backup and Recovery DS11.2
A backup and recovery process is documented and addresses contingency needs. X
DS11.5
32.1.1.1 Obtain and review a copy of the enterprise’s disaster recovery plan (DRP)
and determine whether service levels have been taken into account, namely
all of the following:
 Service level agreements (SLAs) which define how long e-mail can be down before service
has to be restored;
 Recovery point objectives (RPOs) which determine how much data can be lost, measured in
minutes
 Recovery time objectives (RTOs), which determine the maximum time allowed for
recovering each service, measured in minutes
 In addition, recovery after any of the following need to be taken into account:
- Loss of a single message
- Loss of a single mailbox
- Loss of a database server
- Loss or corruption of a mailbox database
- Loss or corruption of a public folder database (if public folders are
deployed)

COSO
Reference Issue
link reference
COBIT
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
33. Determine whether Microsoft System Center Data Protection Manager (DPM) 2010 is deployed and
used for automated backup and recovery.
34. Obtain and review a copy of the last recovery test and determine whether all of the above were
tested and whether all deficiencies in the tested recovery process have been fully remediated.
35. Determine whether backup copies of the Exchange Server 2010 databases are:
 Maintained in a secure offsite facility
 Backup tapes or disks are encrypted before leaving the premises
 Access to offsite backup copies is restricted to a small number of trusted
employees
 Backup copies are carried to the offsite storage by a third party in a secure
fashion, e.g., armored vehicles, armed guards, etc.

VI. Maturity Assessment

The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of the audit/assurance review
and the reviewer’s observations, assign a maturity level to each of the following COBIT control objectives. 6
Referenc
Assessed Target e
COBIT Control Objective Comments
Maturity Maturity Hyper-
link
PO1 Define a Strategic IT Plan
 PO1.1 IT Value management—Work with the business to ensure that the enterprise
portfolio of IT-enabled investments contains programmes that have solid business cases.
 PO1.2 Business-IT alignment—Establish processes of bi-directional education and
reciprocal involvement in strategic planning to achieve business and IT alignment and
integration.
PO2 Define the Information Architecture
 PO2.1 Enterprise information architecture model—Establish and maintain an enterprise
information model to enable applications development and decision-supporting activities,
consistent with IT plans.
 PO2.3 Data classification scheme—Establish a classification scheme that applies
throughout the enterprise, based on the criticality and sensitivity of enterprise data. This
scheme should include details about data ownership; definition of appropriate security
levels and protection controls; and a brief description of data retention and destruction
requirements, criticality and sensitivity. It should be used as the basis for applying controls
such as access controls, archiving or encryption.
PO4 Define the IT Processes, Organisation and Relationships
 PO4.6 Establishment of roles and responsibilities—Establish and communicate roles and
responsibilities for IT personnel and end users that delineate between IT personnel and
end-user authority, responsibilities and accountability for meeting the organisation’s needs.
 PO4.8 Responsibility for risk, security and compliance—Embed ownership and
responsibility for IT-related risks within the business at an appropriate senior level. Define
and assign roles critical for managing IT risks, including the specific responsibility for
information security, physical security and compliance.
 PO4.9 Data and system ownership—Provide the business with procedures and tools,
enabling it to address its responsibilities for ownership of data and information systems.
Owners should make decisions about classifying information and systems and protecting
them in line with this classification.
6
The COBIT control objectives have been abridged to focus on Exchange Server 2010 concerns. Extended descriptions were maintained for critical objectives.
Referenc
Assessed Target e
link
AI1 Identify Automated Solutions

 AI1.1 Definition and maintenance of business functional and technical requirements—
Identify, prioritise, specify and agree on business functional and technical requirements
covering the full scope of all initiatives required to achieve the expected outcomes of the
IT-enabled investment programme.
 AI1.3 Feasibility study and formulation of alternative courses of action—Develop a
feasibility study that examines the possibility of implementing the requirements. Business
management, supported by the IT function, should assess the feasibility and alternative
courses of action and make a recommendation to the business sponsor.
AI3 Acquire and Maintain Technology Infrastructure
 AI3.1 Technological infrastructure acquisition plan—Produce a plan for the acquisition,
implementation and maintenance of the technological infrastructure that meets established
business, functional and technical requirements and is in accord with the organisation’s
technology direction.
AI7 Install and Accredit Solutions and Changes
 AI7.1 Training—Train the staff members of the affected user departments and the
operations group of the IT function in accordance with the defined training and
implementation plan and associated materials, as part of every information systems
development, implementation or modification project.
 AI7.2 Test plan—Establish a test plan based on organisationwide standards that define
roles, responsibilities, and entry and exit criteria. Ensure that the plan is approved by
relevant parties.
 AI7.3 Implementation plan—Establish an implementation and fallback/backout plan.
 AI7.4 Test environment—Define and establish a secure test environment representative of
the planned operations environment relative to security, internal controls, operational
practices, data quality and privacy requirements, and workloads.
DS5 Ensure Systems Security
 DS5.1 Management of IT security—Manage IT security at the highest appropriate
organisational level, so the management of security actions is in line with business
requirements.
 DS5.2 IT security plan—Translate business, risk and compliance requirements into an
overall IT security plan, taking into consideration the IT infrastructure and the security
culture. Ensure that the plan is implemented in security policies and procedures together
with appropriate investments in services, personnel, software and hardware. Communicate
security policies and procedures to stakeholders and users.
 DS5.3 Identity management—Ensure that all users (internal, external and temporary) and

Referenc
Assessed Target e
link
their activity on IT systems (business application, IT environment, system operations,
development and maintenance) are uniquely identifiable. Enable user identities via
authentication mechanisms. Confirm that user access rights to systems and data are in line
with defined and documented business needs and that job requirements are attached to user
identities. Ensure that user access rights are requested by user management, approved by
system owners and implemented by the security-responsible person. Maintain user
identities and access rights in a central repository. Deploy cost-effective technical and
procedural measures, and keep them current to establish user identification, implement
authentication and enforce access rights.
 DS5.4 User account management—Address requesting, establishing, issuing, suspending,
modifying and closing user accounts and related user privileges with a set of user account
management procedures. Include an approval procedure outlining the data or system owner
granting the access privileges. These procedures should apply for all users, including
administrators (privileged users) and internal and external users, for normal and emergency
cases. Rights and obligations relative to access to enterprise systems and information
should be contractually arranged for all types of users. Perform regular management review
of all acounts and related privileges.
 DS5.10 Network security—Use security techniques and related management procedures
(e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorise
access and control information flows from and to networks.
DS9 Managing the Configuration
 DS9.1 Configuration repository and baseline—Establish a supporting tool and a central
repository to contain all relevant information on configuration items. Monitor and record
all assets and changes to assets. Maintain a baseline of configuration items for every
system and service as a checkpoint to which to return after changes.
 DS9.2 Identification and maintenance of configuration items—Establish configuration
procedures to support management and logging of all changes to the configuration
repository. Integrate these procedures with change management, incident management and
problem management procedures.
 DS9.3 Configuration integrity review—Periodically review the configuration data to verify
and confirm the integrity of the current and historical configuration.
DS11 Manage Data
 DS11.2 Storage and retention arrangements—Define and implement procedures for
effective and efficient data storage, retention and archiving to meet business objectives, the
organisation’s security policy and regulatory requirements.
 DS11.5 Backup and restoration—Define and implement procedures for backup and
restoration of systems, applications, data and documentation in line with business

Referenc
Assessed Target e
link
requirements and the continuity plan.
 DS11.6 Security requirements for data management—Define and implement policies and
procedures to identify and apply security requirements applicable to the receipt, processing,
storage and output of data to meet business objectives, the organisation’s security policy
and regulatory requirements.
ME2 Monitor and Evaluate Internal Control
 ME2.1 Monitoring of internal control framework—Continuously monitor, benchmark and
improve the IT control environment and control framework to meet organisational
objectives.
 ME2.2 Supervisory review—Monitor and evaluate the efficiency and effectiveness of
internal IT managerial review controls.
 ME2.3 Control exceptions—Identify control exceptions, and analyse and identify their
underlying root causes. Escalate control exceptions and report to stakeholders
appropriately. Institute necessary corrective action.
 ME2.4 Control self-assessment—Evaluate the completeness and effectiveness of
management’s control over IT processes, policies and contracts through a continuing
programme of self-assessment.
 ME2.7 Remedial actions—Identify, initiate, track and implement remedial actions arising
from control assessments and reporting.
ME3 Ensure Compliance With External Requirements
 ME3.1 Identification of external, legal, regulatory and contractual compliance
requirements—Identify, on a continuous basis, local and international laws, regulations,
and other external requirements that must be complied with for incorporation into the
organisation's IT policies, standards, procedures and methodologies.
 ME3.2 Optimisation of response to external requirements—Review and adjust IT policies,
standards, procedures and methodologies to ensure that legal, regulatory and contractual
requirements are addressed and communicated.
 ME3.3 Evaluation of compliance with external requirements—Confirm compliance of IT
policies, standards, procedures and methodologies with legal and regulatory requirements.
 ME3.4 Positive assurance of compliance—Obtain and report assurance of compliance and
adherence to all internal policies derived from internal directives or external legal,
regulatory or contractual requirements, confirming that any corrective actions to address
any compliance gaps have been taken by the responsible process owner in a timely manner.
ME4 Provide IT Governance
 ME4.1 Establishment of an IT governance framework—Define, establish and align the IT
governance framework with the overall enterprise governance and control environment.
Report IT governance status and issues.

Referenc
Assessed Target e
link
 ME4.3 Value delivery—Manage IT-enabled investment programmes and other IT assets
and services to ensure that they deliver the greatest possible value in supporting the
enterprise’s strategy and objectives. Ensure that the expected business outcomes of IT-
enabled investments and the full scope of effort required to achieve those outcomes are
understood; that comprehensive and consistent business cases are created and approved by
stakeholders; that assets and investments are managed throughout their economic life
cycle; and that there is active management of the realisation of benefits, such as
contribution to new services, efficiency gains and improved responsiveness to customer
demands.

VII. Maturity Assessment vs. Target Assessment
This spider
graph is an
AI1 Identify Automated Solutions
example of
the
ME4 Provide IT Governance
5 AI3.3 Infrastructure Maintenance assessment
results and
maturity
4 target for an
Exchange
ME3 Ensure Compliance With External Requirements AI7 Install and Accredit Solutions and Changes
3 Server 2010
assessment
1
ME2 Monitor and Evaluate Internal Control PO1 Define a Strategic IT Plan
DS9.3 Configuration Integrity Review PO2 Define the Information Architecture
Assessme
DS11 Manage Data nt
PO4 Define the IT Processes, Organisation and Relationships
Target
DS9 Managing the Configuration
DS5 Ensure Systems Security

Appendix I. Exchange Server 2010—Server Roles*
1. Client Access Server enables access to mailboxes through a variety of clients: Outlook, Outlook Anywhere, Outlook Web App, POP3, IMAP4. It also hosts Exchange Web
services, such as the Autodiscover and Availability services.
2. Hub Transport Server handles mail flow inside the Exchange organization, applies transport rules and journaling policies, and delivers mail to recipients’ mailboxes.
3. Mailbox Server hosts mailbox and public folder databases, generates the offline address book (OAB), and enforces email address policies and managed folders.
4. Edge Transport Server, as the name suggests is an Internet-facing server that routs mail into and out of the Exchange organization. It also performs anti-spam and antivirus
filtering, and applies messaging security policies to messages in transport. The Edge Transport Sever must be installed on its own server in the perimeter network and outside
the Active Directory forest.
5. Unified Messaging Server provides connectivity between Exchange Server and the internal telephony system (PBX), allowing users to access their mailboxes from
telephones and also to receive voicemail messages in their Exchange Server mailboxes.
*Source: Microsoft Technet Library

Appendix II. Exchange Server 2010 Transport Pipeline—Schematic*
*Source: Microsoft Technet Library

Appendix III. Specimen Exchange Server Management Role Hierarchy

Microsoft Exchange Server 2010 Audit/Assurance Program

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft Exchange Server 2010 Audit/Assurance Program

Uploaded by

Copyright:

Available Formats

Microsoft® Exchange Server 2010

©2011 ISACA. All rights reserved. Page 2

ISACA wishes to recognize:

ISACA Board of Directors

Guidance and Practices Committee

ISACA and IT Governance Institute® Affiliates and Sponsors

©2011 ISACA. All rights reserved. Page 3

©2011 ISACA. All rights reserved. Page 4

Audit and Assurance Management.

IT Governance, Risk and Control

Responsibilities of IT Audit and Assurance Professionals

II. Using This Document

Work Program Steps

©2011 ISACA. All rights reserved. Page 5

with the control is being followed.

Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

Objective Setting: Objectives must exist before management can

©2011 ISACA. All rights reserved. Page 6

Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

©2011 ISACA. All rights reserved. Page 7

III. Assurance and Control Framework

ISACA IT Assurance Framework and Standards

ISACA Controls Framework

©2011 ISACA. All rights reserved. Page 8

IV. Executive Summary of Audit/Assurance Focus

Exchange Server 2010

Microsoft stresses three areas in their development of Exchange Server 2010:

©2011 ISACA. All rights reserved. Page 9

 Patch deployment—Distributes rollups and service packs.

Business Impact and Risk

©2011 ISACA. All rights reserved. Page 10

 Destruction or loss of enterprise data in e-mails

Objective and Scope

©2011 ISACA. All rights reserved. Page 11

Minimum Audit Skills

It may also be useful to have—or to develop—proficiency with Windows PowerShell cmdlets or

©2011 ISACA. All rights reserved. Page 12

 Planning for Edge Transport Servers, http://technet.microsoft.com/en-us/library/aa996562.aspx

©2011 ISACA. All rights reserved. Page 13

©2011 ISACA. All rights reserved. Page 14

©2011 ISACA. All rights reserved. Page 15

©2011 ISACA. All rights reserved. Page 16

©2011 ISACA. All rights reserved. Page 18

©2011 ISACA. All rights reserved. Page 19

©2011 ISACA. All rights reserved. Page 20

©2011 ISACA. All rights reserved. Page 21

©2011 ISACA. All rights reserved. Page 24

©2011 ISACA. All rights reserved. Page 25

12. Monitoring of Policies and Procedures

13.1.1.1.1 Prepare a sample of recent Exchange Server 2010 deployments

©2011 ISACA. All rights reserved. Page 26

©2011 ISACA. All rights reserved. Page 27

©2011 ISACA. All rights reserved. Page 28

©2011 ISACA. All rights reserved. Page 29

©2011 ISACA. All rights reserved. Page 30

©2011 ISACA. All rights reserved. Page 31

©2011 ISACA. All rights reserved. Page 32

©2011 ISACA. All rights reserved. Page 33

©2011 ISACA. All rights reserved. Page 34

©2011 ISACA. All rights reserved. Page 35

©2011 ISACA. All rights reserved. Page 37

©2011 ISACA. All rights reserved. Page 38

©2011 ISACA. All rights reserved. Page 39