Professional Documents
Culture Documents
Audit/Assurance Program
Microsoft® Exchange Server 2010 Audit/Assurance Program
ISACA®
With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge,
certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise
governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent
ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and
control standards, which help its constituents ensure trust in, and value from, information systems. It also advances
and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor ® (CISA®),
Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and
Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT ®,
which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities,
particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Disclaimer
ISACA has designed and created Microsoft® Exchange Server Audit/Assurance Program (the “Work”) primarily as
an informational resource for audit and assurance professionals. ISACA makes no claim that use of any of the Work
will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures
and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same
results. In determining the propriety of any specific information, procedure or test, audit and assurance professionals
should apply their own professional judgment to the specific circumstances presented by the particular systems or IT
environment.
Reservation of Rights
© 2011 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use and
consulting/advisory engagements and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: info@isaca.org
Web site: www.isaca.org
ISBN 978-1-60420-190-1
Microsoft® Exchange Server Audit/Assurance Program
CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout
the world.
Microsoft® Exchange Server Audit/Assurance Program is an independent publication and is not affiliated with, nor
has it been authorized, sponsored or otherwise approved by, Microsoft Corporation.
Expert Reviewers
Milthon J. Chavez, Ph.D., CISA, CISM, CGEIT, CRISC, ISO27000LA, MCH Consulting, Venezuela
Kerrie Douglas, CISA, CGEIT, DaVita, USA
Michael Jones, CISA, Bank of Montreal, Canada
William C. Lisse, Jr., CISA, CGEIT, CISSP, G7799, PMP, OCLC Inc., USA
John Tannahill, CISM, CGEIT, CRISC, CA, J. Tannahill & Associates, Canada
Knowledge Board
Marc. Vael, Ph.D., CISA, CISM, CGEIT, CISSP, Valuendo, Belgium, Chairman
Michael A. Berardi Jr., CISA, CGEIT, Nestle USA, USA
John Ho Chi, CISA, CISM, CRISC, CBCP, CFE, Ernst & Young LLP, Singapore
Phil Lageschulte, CGEIT, CPA, KPMG LLP, USA
Jon Singleton, CISA, FCA, Auditor General of Manitoba (retired), Canada
Patrick Stachtchenko, CISA, CGEIT, Stachtchenko & Associates SAS, France
ITGI Japan
Norwich University
Solvay Brussels School of Economics and Management
Strategic Technology Management Institute (STMI) of the National University of Singapore
University of Antwerp Management School
ASI System Integration
Hewlett-Packard
IBM
SOAProjects Inc
Symantec Corp.
TruArx Inc.
Table of Contents
I. Introduction.......................................................................................................................................4
II. Using This Document........................................................................................................................5
III. Assurance and Control Framework....................................................................................................8
IV. Executive Summary of Audit/Assurance Focus.................................................................................9
V. Audit/Assurance Program................................................................................................................14
1. Planning and Scoping the Audit...................................................................................................14
2. Preparatory Steps.........................................................................................................................16
3. Governance..................................................................................................................................18
4. Server Configuration....................................................................................................................25
5. Network.......................................................................................................................................34
6. Contingency Planning..................................................................................................................34
VI. Maturity Assessment.......................................................................................................................38
VII. Maturity Assessment vs. Target Assessment...................................................................................43
Appendix I. Exchange Server 2010—Server Roles...................................................................................44
Appendix II. Exchange Server 2010 Transport Pipeline—Schematic........................................................45
Appendix III. Specimen Exchange Server Management Role Hierarchy...................................................46
I. Introduction
Overview
ISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good-practice-
setting model. ITAF provides standards that are designed to be mandatory and are the guiding principles
under which the IT audit and assurance profession operates. The guidelines provide information and
direction for the practice of IT audit and assurance. The tools and techniques provide methodologies,
tools and templates to provide direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a roadmap for the completion of a
specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use
by IT audit and assurance professionals with the requisite knowledge of the subject matter under review,
as described in ITAF section 2200—General Standards. The audit/assurance programs are part of ITAF
section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT framework—
specifically COBIT4.1—using generally applicable and accepted good practices. They reflect ITAF
sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT
Step 1 is part of the fact-gathering and prefieldwork preparation. Because the prefieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first level steps, e.g.,
1.1, are shown in bold type and provide the reviewer with a scope or high-level explanation of the
purpose for the substeps.
Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the
program, the audit/assurance objective—the reason for performing the steps in the topic area—is
described. The specific controls follow. Each review step is listed below the control. These steps may
include assessing the control design by walking through a process, interviewing, observing or otherwise
verifying the process and the controls that address that process. In many cases, once the control design
has been verified, specific tests need to be performed to provide assurance that the process associated
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-up—those processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing, and report clearing—has been
excluded from this document since it is standard for the audit/assurance function and should be identified
elsewhere in the enterprise’s standards.
COBIT Cross-reference
The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the
specific COBIT control objective that supports the audit/assurance step. The COBIT control objective
should be identified for each audit/assurance step in the section. Multiple cross-references are not
uncommon. Processes at lower levels in the work program are too granular to be cross-referenced to
COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a
structure parallel to the development process. COBIT provides in-depth control objectives and suggested
control practices at each level. As professionals review each control, they should refer to COBIT4.1 or the
IT Assurance Guide: Using COBIT for good-practice control guidance.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit and assurance professionals. This ties the assurance work to the enterprise’s control framework.
While the IT audit/assurance function uses COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit/assurance with
the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control
components within their report and summarize assurance activities to the audit committee of the board of
directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible, but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO was revised
as the Enterprise Risk Management (ERM) Integrated Framework and extended to eight components. The
primary difference between the two frameworks is the additional focus on ERM and integration into the
business decision model. ERM is in the process of being adopted by large enterprises. The two
frameworks are compared in figure 1.
The original COSO internal control framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for these
audit/assurance programs. As more enterprises implement the ERM model, the additional three columns
can be added, if relevant. When completing the COSO component columns, consider the definitions of
the components as described in figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper for each line item,
which describes the work performed, issues identified and conclusions. The reference/hyperlink is to be
used to cross-reference the audit/assurance step to the work paper that supports it. The numbering system
of this document provides a ready numbering scheme for the work papers. If desired, a link to the work
paper can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a work paper describing the work performed.
As described in the following Executive Summary section, Exchange Server 2010 is an architecture that
supports and drives business processes.
The primary COBIT processes associated with an implementation of Exchange Server 2010 are as
follows:
PO2 Define the information architecture—Defined data classification scheme used to establish
content security requirements
PO6 Communicate management aims and direction—Once governance and policies are established
communicating same to the users
AI1 Identify automated solutions—Business requirements necessary to define and implement business
processes
AI3 Acquire and maintain technology infrastructure—Technology architecture required to support
the Exchange Server 2010 environment and ensure alignment with the enterprise architecture
DS5 Ensure systems security—Security configuration and processes required to secure the Exchange
Server 2010 contents
DS9 Manage the configuration—Configuration settings of the various servers which support the
infrastructure of Exchange Server 2010
DS11 Manage data—Data management classification, storage, and retention
ME2 Monitor and evaluate internal control—The decentralized nature of Exchange Server 2010
installations requires the monitoring of internal control as a part of the management structure
ME3 Ensure compliance with external requirements—Compliance with regulatory and legal entities
associated with the Exchange Server 2010 content
ME4 Provide IT governance—Decentralized Exchange Server 2010 environments managed by users
require policies and processes to assure adherence to internal controls, effective and efficient data
management, and accompanying management oversight
Refer to ISACA’s COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT
Governance, 2nd Edition, published in 2007, for the related control practice value and risk drivers.
As is well known, e-mail is a primary target for malware and attacks. E-mail is both a favored vector for
propagating malware and a major resource-sapping nuisance in its own right (e.g., spam). Therefore,
Exchange Server security and control are fundamental to overall enterprise security.
Security has been a major focus of Exchange Server 2010 and it includes the following security features:
Role-based Access Control (RBAC)—Allows for more granular management of permissions
assigned to different stakeholders, e.g., recipient administrators, server administrators, records and
discovery managers, and organization administrators.
High availability (HA)
Throttling Policies—Throttling mechanisms on Mailbox, Client Access and Transport help to
protect against and reduce the impact of denial of service (DoS) attacks.
Federated Delegation—Allows users to collaborate securely with users in external organizations.
This includes cross-forest collaboration, without the need to set up and manage Active Directory trust
relationships.
Information Rights Management—Enables protection (encryption) of sensitive message content at
multiple levels, while maintaining the enterprise’s ability to decrypt, search and apply messaging
policies to protected content.
No Security Configuration Wizard—Configuration changes are made via Setup, to install and
enable only those services required for a particular Exchange Server role and to limit communication
to only those ports required for the services and processes running on each server role. This removes
the need for tools such as the Security Configuration Wizard (SCW) to configure these settings.
In addition, Microsoft now provides Forefront Protection for Exchange Server (FPE), a comprehensive,
multiserver mechanism for protection against the dual threats of malware and spam, including:
Signature redistribution—Deploys antivirus signature updates to the servers.
Policy (configuration) deployment—Deploys a centralized set of configuration settings to one or
more FPE or Forefront Protection for SharePoint (FPSP) servers.
1
The Radicati Group, Microsoft Exchange Server and Outlook Market Analysis, 2010-2014, USA, 2010
Exchange Server 2010 is a significant upgrade to prior versions, especially in the areas of security and
controls. Therefore, this document focuses on this latest (2010) version. Currently, Exchange Server 2010
is available in two server editions:
Standard Edition—Designed for the messaging and collaboration needs of small and medium
corporations, or for specific server roles or branch offices; supports up to 5 databases
Enterprise Edition—Designed for large enterprises; supports up to 100 databases
This audit/assurance program focuses on the superset of the Enterprise Edition; audit/assurance staff
should make appropriate changes when assessing the Standard Edition.
Corporate e-mails (and, therefore, the supporting Exchange Server 2010 infrastructure) may contain any
kind of business-critical information, including, but not limited to:
Intellectual property, e.g., patents, copyrighted material
Sensitive corporate material, e.g., board of directors report distribution and repository, financial data,
marketing and strategic planning data, personnel information, current sales and marketing data
Enterprise or department procedures and policies
Communications with third parties, e.g., customers, federal authorities, external legal counsel, joint
venture partners, stockholders, Wall Street, external auditors
Internal audit work papers
Issue monitoring
Internal control documentation and testing
Failure to design and manage effective Exchange Server 2010 controls could result in:
The above list is not intended to intimidate the audit/assurance professional, but rather to indicate that
security and control of Exchange Server 2010 depend on the larger control structure in place in the
enterprise. The audit of Exchange Server 2010 needs to take account of this integration with other parts of
the corporate IT architecture.
This means, that in addition to technical aspects of Exchange Server 2010, the audit/assurance
professional must focus on the governance, policies and monitoring/oversight functions associated with
its deployment and management.
During the audit planning process, the auditor must determine the scope of the audit. Depending on the
specific implementation, this may include:
Evaluation of governance, policies and oversight relating to Exchange Server 2010
Data classification policies and management
The relevant Exchange Server 2010 business case, deployment or upgrade, strategy, and
implementation controls
Technical architecture, including interfaces with existing applications, security systems and
technology
Assessments of IT architecture to support Exchange Server 2010, e.g., IIS web servers, application
servers, database servers, antivirus servers, intrusion detection/prevention servers, FPE servers
Baseline configurations of specific hardware/software implementation
Issues related to decentralized Exchange Server 2010 servers or server farms, where appropriate
Issues related to failover clustering, where appropriate
Security standards and security configuration baselines
Consider reviewing external reference sources such as Microsoft Exchange Server 2010 Security
Guide and Center for Internet Security Exchange 2007 Benchmark. (See the list below for the
relevant URLs.)
The audit/assurance professional should be familiar with Exchange Server 2010’s primary management
tools:
Exchange Management Console (EMC)—The main graphical console for configuring, managing
and viewing an operational Exchange Server 2010
Exchange Control Panel (ECP)
Exchange Management Shell (EMS)
The audit and assurance professional is cautioned not to attempt to conduct an audit/assurance review of
Exchange Server 2010 utilizing this program as a checklist. Prior to commencing an audit of Exchange
Server 2010, the auditor might consider reviewing the following resources:
Jagott, Siegfried; Joel Stidley; MS Exchange Server team; Microsoft Exchange Server 2010: Best
Practices, Microsoft Press, USA, 2010
Redmond, Tony; Microsoft Exchange Server 2010: Inside Out, Microsoft Press, USA, 2010
Diogenes, Yuri; Thomas W. Shinder; Deploying Microsoft Forefront Protection 2010 for Exchange
Server, Microsoft Press, USA, 2010
Microsoft Press, Security Operations for Exchange Server: Patterns & Practices, USA, 2002
Microsoft Forefront Protection Server Script Kit; useful PowerShell scripts free download from
www.microsoft.com/download/en/details.aspx?id=20233
The following resources provide useful guidance on some of the technical and configuration aspects of an
Exchange Server 2010 environment:
Exchange Server 2010 Security Guide, http://technet.microsoft.com/en-us/library/bb691338.aspx
Exchange Server 2010 Deployment Assistant, http://technet.microsoft.com/en-
us/exdeploy2010/default.aspx#Index
V. Audit/Assurance Program
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
1. PLANNING AND SCOPING THE AUDIT
1.1 Define the audit/assurance objectives. The audit/assurance objectives are high level
and describe the overall audit goals.
1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance
program.
1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe,
annual plan and charter.
1.2 Define audit assignment success. The success factors need to be identified.
Communication among the IT audit/assurance team, other assurance teams and the
enterprise is essential.
1.2.1 Identify the drivers for a successful review. (This should exist in the assurance
function’s standards and procedures.)
1.2.2 Communicate success attributes to the process owner or stakeholder, and obtain
agreement.
1.3 Define the boundaries of the review. The review must have a defined scope.
Understand the functions and application requirements for the Exchange Server
2010 sites within scope.
1.3.1 Obtain a list of Exchange Server 2010 sites, farms, and servers.
1.3.2 Determine the content of Exchange Server 2010 sites to be considered for review.
1.3.3 Determine if a data classification analysis has been performed for the Exchange
Server 2010 sites.
1.3.4 Identify the criteria for selecting Exchange Server 2010 sites for inclusion in the
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
current audit/review.
1.3.5 Identify and review associated policies concerning e-mail, such as remote access,
acceptable usage and use of webmail.
1.4 Identify and document audit risk. The risk assessment is necessary to evaluate
where audit resources should be focused. In most enterprises, audit resources are
not available for all processes. The risk-based approach assures utilization of audit PO9.2
resources in the most effective manner.
1.4.1 Identify the business risk associated with the Exchange Server 2010 sites under
consideration for audit/review.
1.4.2 Based on the risk assessment, evaluate the overall audit risk factor for performing
the audit/review.
1.4.3 Based on the risk assessment, identify changes to the scope.
1.4.4 Discuss the risk with IT management, and adjust the risk assessment.
1.4.5 Based on the risk assessment, revise the scope.
1.5 Define the audit change process. The initial audit approach is based on the
reviewer’s understanding of the operating environment and associated risk. As
further research and analysis are performed, changes to the scope and approach AI6.1
may result.
1.5.1 Identify the senior IT assurance resource responsible for the review.
1.5.2 Establish the process for suggesting and implementing changes to the
audit/assurance program and the authorizations required.
1.6 Define the audit/assurance resources required. The resources required are defined
in the introduction to this audit/assurance program.
1.6.1 Determine the audit/assurance skills necessary for the review.
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
1.6.2 Estimate the total audit/assurance resources (hours) and time frame (start and end
dates) required for the review.
1.7 Define deliverables. The deliverables are not limited to the final report.
Communication between the audit/assurance teams and the process owner is
essential to assignment success.
1.7.1 Determine the interim deliverables, including initial findings, status reports, draft
reports, due dates for responses or meetings, and the final report.
1.8 Communicate. The audit/assurance process must be clearly communicated to the
customer/client.
1.8.1 Conduct an opening conference to discuss:
Objectives with the stakeholders
Documents and information security resources required to perform the review ·
Scope, and any scope limitations (audit boundaries)
Budgets
Due dates
Time lines
Milestones
Deliverables
2. PREPARATORY STEPS
2.1 Obtain and review the current organizational charts relating to Exchange Server
2010.
2.1.1 Obtain the organization chart for the IT infrastructure.
2.1.2 Obtain the organization chart for the Exchange Server 2010 administration (if
different from or not included with 2.1.2).
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
2.2 Obtain the job descriptions of personnel responsible for the IT infrastructure and
Exchange Server 2010 administration.
2.3 Determine if audits of Exchange Server 2010, Windows Server, IIS, Active
Directory and SQL Server have been performed previously.
2.3.1 If these audits have been performed, obtain the work papers for the previous audits.
2.3.1.1 Review the security configuration, and determine if identified issues have
been corrected.
2.3.1.2 Determine if the specific servers under consideration for inclusion in the
scope of this audit have been included in the review.
2.4 Select the Exchange Server 2010 sites, farms and servers to be included in the
audit/review.
2.4.1 Based on the prioritized list of Exchange Server 2010 sites, select the farms and
supporting servers to be included in the review. Be sure that there is a representative
sample of any Exchange Server 2010 sites determined to be high-risk.
2.4.2 Select one or more servers from each of the five server roles: Mailbox, Client
Access Server, Hub Transport, Edge Transport and Unified Messaging (as
appropriate).
2.4.3 Select one or more servers from failover clusters.
2.5 Document the Configuration
2.5.1 Use Exchange Management Console (EMC) to determine:
Organization configuration – applies organization-wide to all Exchange servers
Server configuration – details of specific servers, i.e., chosen for audit/review
Service Pack level installed – compare to latest service pack at
www.microsoft.com/exchange/
©2011 ISACA. All rights reserved. Page 17
Microsoft® Exchange Server 2010 Audit/Assurance Program
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
Number and locations of all mounted Mailbox databases
Installed Exchange Server roles, i.e., Client Access Server, Mailbox Server,
Edge Transport Server, Hub Transport Server, Unified Messaging server (see
schematic diagram in VIII. Exchange Server 2010 – server roles)
Database Availability Groups – these groups drive database replication,
failover and recovery
Installed X.509 Digital Certificates – these drive e-mail encryption as well as
secure Federated Sharing with third parties (if Federation is deployed)
Outlook Anywhere – allows remote users (e.g., teleworkers or mobile devices)
to access e-mail boxes securely over Secure Hypertext Transfer Protocol
(HTTPS)
2.5.2 If necessary, run the Get-ExchangeServer cmdlet in Exchange Management Shell
(EMS) to display a list of installed Exchange Server 2010 server roles on the
specified server.
See http://technet.microsoft.com/en-us/library/bb123873.aspx for details of this cmdlet.
2.5.3 Ensure that the edge Transport Server does not share hardware with any other
Exchange Server 2010 server role (even running in separate virtual machines in a
virtualized environment is discouraged).
2.5.4 If this is a recent deployment of Exchange Server 2010, request the relevant Setup
Log created during the installation and review for any unresolved warning or error
messages. The Setup Log is located at
<system drive>\ExchangeSetupLogs\ExchangeSetup.log (where <system
drive>is the root directory of the drive where the OS is installed.)
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
3. GOVERNANCE
3.1 Business Case
Audit/Assurance Objective: The initial Exchange Server 2010 infrastructure and Exchange
Server 2010 sites are supported by a documented business case describing the return on
investment and other benefits.
4. Exchange Server 2010 Infrastructure Business Case PO1.2
Control: A business case to support the development of the Exchange Server 2010 PO2.1
Infrastructure is fully documented and describes the benefits to be realized from an X X X X
AI1.3
Exchange Server 2010 environment. AI3.1
4.1.1.1 Obtain the business case for the initial development of the Exchange Server
2010 infrastructure.
4.1.1.2 Determine if the business case describes the benefits to be realized from an
Exchange Server 2010 infrastructure and is appropriately authorized.
5. Exchange Server 2010 Site Business Case Requirements PO1.2
Control: A business case to support the deployment of anExchange Server 2010 site or PO2.1
server farm is fully documented and describes the benefits to be realized therefrom. AI1.3 X X X
AI3.1
DS11.1
5.1.1.1 Select a sample of Exchange Server 2010 sites and farms within the audit
scope. 5.1.1.1.1
5.1.1.1.2
5.1.1.1.3
5.1.1.1.4
5.1.1.1.5
5.1.1.2 For each selected Exchange Server 2010 site, determine if the enterprise
systems development policy would require a business case for deploying or
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
upgrading to Exchange Server 2010.
5.1.1.3 If a business case is required, determine that a business case exists, describes
the benefits to be realized from the Exchange Server 2010 site, and is
appropriately authorized.
5.2 Exchange Server 2010 Policies
6. Guiding Principles
Audit/Assurance Objective: Exchange Server 2010 new deploymentsor upgrades (from
earlier versions of MS Exchange Server) adhere to enterprise objectives and
guiding principles.
Exchange Server 2010 Guiding Principles Document PO1.4
Control: A guiding principles document has been established and addresses key PO6
Exchange Server 2010 deployment, upgrade and operations issues. AI1.1 X X
AI1.4
ME4
7.1.1.1.1 Determine if a guiding principles or similarly named document exists
which outlines the specific deployment objectives.
7.1.1.1.1.1 Governance Documentation
7.1.1.1.1.1.1 Determine that the guiding principles address
enterprise general policies relating to privacy,
copyright, records retention, confidentiality,
compliance and security.
7.1.1.1.1.2 Site Design
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
7.1.1.1.1.2.1 Determine if the guiding principles require
Exchange Server 2010 site design to:
Use a consistent architecture
Approve changes based on demonstrated
need
Have a designated owner for each site or
farm
Take cognizance of enterprise backup and
recovery policies and procedures
Relevant compliance requirements: Federal,
State, local
8. Policies and Standards
Audit/Assurance Objective: Policies and standards adhere to enterprise policies and
standards
Exchange Server 2010 Policies and Standards
Control: Exchange Server 2010 policies are defined, documented and distributed to PO6.4
Exchange Server 2010 administrators, architects, application developers and X
PO6.5
relevant users.
9.1.1.1.1 Determine if an Exchange Server 2010 policies and standards
document exists.
9.1.1.1.2 Obtain the Exchange Server 2010 policies and standards document,
and review it for the following:
9.1.1.1.2.1 Policy Alignment and Review
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
9.1.1.1.2.1.1 Exchange Server 2010 policies and standards
align with corporate policies and standards.
9.1.1.1.2.1.2 Exchange Server 2010 policies and standards
are reviewed at least annually and updated as
required.
9.1.1.1.2.1.3 Exchange Server 2010 policies and standards
are formally approved by the CEO.
9.1.1.1.2.2 Content
9.1.1.1.2.2.1 Content is subject to review according to data
classification policies and computer use
policies.
9.1.1.1.2.2.2 Data is retained according to enterprise
retention policies, with provisions for a more
stringent policy based on data classification,
data content or user group (e.g., C-suite
executive e-mail).
9.1.1.1.2.3 Deployment Practices/Processes
9.1.1.1.2.3.1 Exchange Server 2010 deployments follow a
prescribed project framework, such as the
Microsoft Operations Framework (MOF)2 or
the IT Infrastructure Library (ITIL).3
9.1.1.1.2.3.2 If this is a recent or new deployment of
Exchange Server 2010 or a recent upgrade
from an earlier version of Exchanger Server,
documented industry-standard Good Practices
2
www.microsoft.com/MOF
3
www.itil-officialsite.com/AboutITIL/WhatisITIL.asp
©2011 ISACA. All rights reserved. Page 22
Microsoft® Exchange Server 2010 Audit/Assurance Program
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
were followed, e.g., Microsoft Exchange
Server Deployment Assistant4.
9.1.1.1.2.3.3 The deployment process includes security and
control requirements, including antivirus/spam
strategy (use Exchange Server’s built-in
capability or hosted service), network security,
patching, compliance, e-discovery
9.1.1.1.2.3.4 Security requirements are defined according to
enterprise security policies, separation of
duties, approval policies, compliance, disaster
recovery, incident management, etc.
9.1.1.1.2.3.5 The deployment process includes appropriate
expected performance metrics to quantify
hardware needed, at present and in the future.
9.1.1.1.2.3.6 Exchange Server 2010 operations conducts
appropriate capacity planning and on-going
management to determine available and
expected processing capacity
9.1.1.1.2.3.7 Volume testing and load balancing for multiple
servers were conducted.
9.1.1.1.2.3.8 Disaster recovery planning was included.
9.1.1.1.2.3.9 Appropriate backup schedules have been
established.
9.1.1.1.2.3.10 Acceptable use policies are in place and have
been communicated to all users.
4
http://technet.microsoft.com/en-us/exdeploy2010/default.aspx#Index
©2011 ISACA. All rights reserved. Page 23
Microsoft® Exchange Server 2010 Audit/Assurance Program
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
9.1.1.1.2.3.11 Encryption standards are in place (important
for compliance with regulations, such as
HIPAA and PCI.
9.1.1.1.2.4 Specific Site Policies
9.1.1.1.2.4.1 Specific sites may alter policies to require more
stringent security and design guidelines. More
relaxed policies not in compliance with data
classification standards and guidelines must be
approved by Information Security management
and the business data owner.
Gain documentary evidence of such approval(s), if
appropriate.
9.1.1.1.2.5 Audit Policies
9.1.1.1.2.5.1 Audit policies are aligned with enterprise audit
policies based on data classification.
9.1.1.1.2.5.2 Audit policies include monitoring of access to
Exchange Server sites, farms and server by:
Site administrators
Farm administrators
Other privileged uses, e.g., data base
administrators
10. Roles and Responsibilities
Audit/Assurance Objective: Policies and standards address the roles and responsibilities
for implementing and maintaining Exchange Server 2010 sites including the
underlying technology stack that supports Exchange Server 2010.
Roles and Responsibilities Description PO4.6 X X
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
Control: An Exchange Server 2010 policies and roles document describes the specific
PO7
responsibilities of key job functions.
11.1.1.1.1 Determine if an Exchange Server 2010 roles and responsibilities
document exists.
11.1.1.1.2 If the document exists, evaluate the appropriateness of the
descriptions for the following roles:
Executive Sponsor
Governance Board or Steering Committee
Technology Administrator
Technology Support Team
Content Manager / Metadata Steering Committee
Exchange Server 2010 Deployment Consultant
Network Architect
Site Designer
Site Owner
11.1.1.1.3 Review the roles against the following responsibilities to assure these
responsibilities are assigned to a job function and to specific
individual(s):
Management of the technical infrastructure, including server,
networks, database management, mailbox management, etc.
Management of the Exchange Server 2010 farms infrastructure
Management of individual Exchange Server sites
Site security
Access controls, i.e., user provisioning
Performance evaluation
Business continuity and disaster recovery
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
11.2 Monitoring
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
completeness, and appropriate and timely escalations.
15. SERVER CONFIGURATION
15.1 Virtualization
Audit/Assurance Objective: Exchange Server 2010 servers running in a virtualized
environment are fully segregated from other servers running on the same physical
hardware.
16. Virtualization Segregation PO2.1
Control: Exchange Server 2010 servers are segregated from other servers in the DS5.1 X
virtualization pool. DS9
16.1.1.1 Obtain the server virtualization specifications and architecture
documentation.
16.1.1.2 Determine that controls within the virtualization configuration assure
complete segregation of Exchange Server 2010 processes and access rights
from other environments.
16.1.1.3 If a virtualization audit has been performed, review the findings and issue
monitoring for identified control concerns and remediation plans.
16.1.1.4 If no recent virtualization audit has been performed and the Exchange Server
2010 servers operate in a virtualized environment, consider postponing the
Exchange Server 2010 audit until a virtualization audit can be performed.
Refer to the ISACA VMware Audit/Assurance Program, as needed.
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
16.2 Role-based Access Controls (RBAC)
Audit/Assurance Objective: Role-based Access Controls are deployed to control, at both the
broad and granular level, what administrators and end users are permitted to do in the DS1
Exchange Server 2010 environment and that the roles assigned to them align to their
actual roles within the organization.
17. Role Groups Are Used
Control: Role Groups are used to grant permissions to the various privileged roles. PO2.3
Exchange Server 2010 ships with an extensive list of management roles—all DS5.3 X
privileged positions should be provisioned according to their role groups. DS5.4
17.1.1.1 Obtain a copy of the most recent Exchange Server 2010 Management Role
hierarchy chart—see Appendix III of this document for an example.
17.1.1.2 Determine that the Management Role hierarchy chart includes all built-in
roles as well as all custom management roles. Obtain explanations for roles
with excessive privileges.
17.1.1.3 Retrieve a list of role assignments. Since this cannot be done with EMC, it
requires use of the Get-ManagementRoleAssignment cmdlet.
For details, see http://technet.microsoft.com/en-us/library/dd351024.aspx
Example: Get-ManagementRoleAssignment "Tier 1*"—retrieves a list of all the
role assignments beginning with the string "Tier 1".
17.1.1.4 Select a sample of Management Roles and view the details of their allocated
privileges, using the above Get-ManagementRoleAssignment cmdlet.
Example: Get-ManagementRoleAssignment "Help Desk Assignment" |
Format-List—retrieves the details of the Help Desk Assignment Role list.
17.1.1.5 Select a sample of role assignees and view their role assignments. Obtain
explanations for excessive or unusual privileges.
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
Example: Get-ManagementRoleAssignment -RoleAssignee "Server
Management"—to view the Server Management role group.
17.1.1.6 Select a sample of role assignments that have been scoped to a specific
organizational unit (OU) and retrieve a list of the corresponding role
assignments.
Example: Get-ManagementRoleAssignment
-RecipientOrganizationalUnitScope “OU”—where OU is the fully
qualified name of the required OU.
17.1.1.7 Select a sample of senior management or sensitive servers and retrieve a list
of role assignments that can modify the specific recipients or servers.
Example 1: Get-ManagementRoleAssignment -WritableRecipient "XXX"— to
retrieve a list of role assignments that can modify the recipient named XXX.
Example 2: Get-ManagementRoleAssignment -WritableServerSV02
-RoleAssignee "Server Management" –GetEffectiveUsers— to retrieve
all users who are assigned to the Server Management role group and who
can modify the server SV02.
17.1.1.8 Obtain a list of role assignments that are disabled and obtain explanations.
Example: Get-ManagementRoleAssignment -Enabled $False
17.1.1.9 View the default management role Assignment Policy, as follows:
Get-RoleAssignmentPolicy | Format-Table Name, IsDefault
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
17.2 Secure Communication
Audit/Assurance Objective: Communication among Exchange Server 2010 servers and with
users is securely encrypted, using industry-standard cryptography.
18. Application Servers Configured for Security DS5.11
Control: Database Availability Group (DAG) encryption is enabled for all databases. X
DS11.6
18.1.1.1 Use the Set-DatabaseAvailabilityGroup cmdlet to view the encryption
setting. This should be set to Enabled.
Format: Set-DatabaseAvailabilityGroup -NetworkEncryption
19. Mobile Device Policies Are in Place
Control: Appropriate policies are in place to control mobile devices and protect against PO2.3
X
data leakage from such devices. DS5.11
19.1.1.1 Obtain a copy of Mobile Device Policy and ensure it is current and has been
distributed to all affected users.
19.1.1.2 Ensure that the policy requires users who are permitted use of mobile
devices (smartphones, tablet computers, netbooks, etc.) to report the loss or
theft of such a device as soon as possible so the data on the device can be
remotely wiped.
19.1.1.3 Ensure that the policy requires users who are permitted use of mobile
devices to accept in writing that all data on mobile devices will be remotely
wiped immediately on termination of employment.
19.1.1.4 Ensure that the corporate acceptable use policy (for users of corporate
networks) specifically covers both e-mail and mobile device users.
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
19.2 Anti-spam and Antivirus
Audit/Assurance Objective: Proper anti-spam and antivirus technical controls are in place and
regularly updated and maintained.
20. Forefront Protection 2010 for Exchange (FPE) Server
Control: If Microsoft Forefront Protection 2010 for Exchange Server (FPE) is deployed, DS5.9
it is up to date for effective anti-spam and antivirus protection. FPE deployment is X
DS9
regarded as a good practice in an Exchange Server 2010 environment.
20.1.1.1 Obtain a copy of the FPE planning document and establish that proper
planning was done before deployment (incorrect or ineffective deployment
can have a significant negative effect on performance and, hence, user
productivity). Reference: http://technet.microsoft.com/en-
us/library/aa996562(EXCHG.140).aspx
20.1.1.2 Obtain evidence that Operations Management regularly uses FPE to review
the protection levels in place in the user community; i.e., metrics exist and
are regularly collected for proactive monitoring of e-mail users, namely:
What percentage of users’ computers are/are not currently protected?
Is antivirus software installed and turned on for all connected users?
Do all users have the latest anti-malware definitions installed?
What malware has been recently detected in the organization?
20.1.1.3 Use FPE’s Dashboard to review the above statistics under the Computer
Infection Status section. Obtain explanations for anomalies, such as
unusually high malware infection statistics, higher than normal numbers of
unprotected devices or devices for which protection could not be deployed,
etc.
20.1.1.4 Obtain evidence that Operations Management regularly monitors sites such
as Microsoft’s Malware Protection Center for the latest information on
malware. Reference: www.microsoft.com/security/portal/
20.1.1.5 Obtain evidence that Operations Management has assigned adequate
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
resources to monitor, repair and report malware infections into the Exchange
Server environment.
20.1.1.6 Obtain evidence that Operations Management provides regular statistical
summary reports to senior management on the status of protection in the
Exchange Server environment.
20.1.1.7 Obtain evidence that: (a) administrative privileges to FPE are role-based,
(b) a highly restricted number of employees have such privileges, (c) these
roles are regularly monitored, and (d) copies of passwords for the following
privileged accounts are kept in a secure location, accessible by a senior
individual in an emergency situation:
FPE Full Administrator
FPE Policy Author
FPE Policy Deployment Manager
20.1.1.8 Establish that FPE policies are installed and operational. Policies include
frequency and time that users’ devices are scanned, which devices (if any)
are excluded, etc. Policies can be viewed in the
FPE Configuration Manager FPE Policies.
20.1.1.9 Establish that consistent FPE policies are deployed to all user devices.
Obtain explanations for any discrepancies, e.g., user groups excluded from
standard policy. View Policy Assignment in the
FPE Configuration Manager FPE Policies.
20.2 Messaging Compliance
Audit/Assurance Objective: Exchange Server 2010 is appropriately configured to comply with
relevant regulatory, legal, industry and corporate internal requirements.
21. Message Retention Is Appropriate for the Needs of the Enterprise
Control: Messages are retained for the appropriate duration to comply with the most DS11.2 X
restrictive requirement.
21.1.1.1 Verify that written corporate policy specifically and clearly defines the
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
retention period for all e-mail messages and that this time period equals or
exceeds that for the most restrictive compliance requirement for the
enterprise.
21.1.1.2 Verify that Exchange Server 2010 Operations Management is fully aware of
the message retention and electronic discovery policies.
21.1.1.3 Verify that the Exchange Server 2010 deployment or upgrade process
included Messaging Records Management (MRM).
21.1.1.4 Verify that the Exchange Server 2010 environment includes the use of
Retention Tags that are applied to all messages. Types of Retention Tags
include: Default Policy Tag (DPT), Retention Policy Tag (RPT) and
Personal Tag.
21.1.1.5 Use the Exchange Management Console (EMC) to view the deployed
Retention Tags. The number of retention tags should not be too large, else
tag maintenance—and hence compliance with retention policy—may be too
onerous or ineffective.
21.2 Journaling Is Appropriately Controlled
Audit/Assurance Objective: Journaling is used to record e-mail communications for archival
and e-discovery purposes. Since mailbox journals can contain sensitive data, access to
them should be tightly controlled and monitored.
22. Journaling Is Controlled and Monitored
Control: Access to mailbox journal storage is restricted to a small number of trusted ME1 X X X
administrators.
22.1.1.1 Obtain and review a list of all personnel with access to mailbox journals and
obtain explanations if the number of personnel with access seems excessive
for the organization.
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
22.2 Litigation Hold Is Enabled for Potential Legal E-discovery
Audit/Assurance Objective: The environment is cognizant of the need for, and techniques to
achieve, litigation hold on specified mailboxes in the case of legal e-discovery.
23. Policies Are in Place to Effect a Legal Hold DS5
Control: A legal hold policy is documented, up-to-date and conveyed to Exchange DS11 X X
Server 2010 Operations Management. ME1
23.1.1.1 Obtain a copy of the legal hold policy and determine whether it has been
communicated to, and understood by, Exchange Server 2010 Operations
Management.
23.1.1.2 By query and observation, determine whether Exchange Server 2010
Operations Management is able to perform Multi-Mailbox Searches (either
via the ECP or the EMS).
23.2 Auditing And Logging
Audit/Assurance Objective: Exchange Server 2010 is configured to log all use of Windows
PowerShell cmdlets. This facilitates tracking of administrator-level functions using
PowerShell.
24. PowerShell Auditing Is Enabled
Control: The Exchange Server 2010 audit mailbox feature is enabled and in use. This
feature logs all uses of PowerShell cmdlets which can be used to do specific DS9 X
administrator functions.
24.1.1.1 Determine if an auditing policy has been established to require logging of
the use of any PowerShell cmdlet.
24.1.1.2 If a policy exists, determine if it has been enabled for all Exchange Server
2010 sites.
24.1.1.3 Select a sample of Exchange Server 2010 sites and the defined auditing
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
mailbox(es). Confirm this via the EMC.
24.1.1.4 Run an audit mailbox report, using ECP, select a sample of entries from the
audit mailbox and obtain explanations for the use of cmdlets. Include cases
where the cmdlet was run after normal working hours, if any.
24.1.1.5 Determine if access to the auditing mailbox(es) is restricted and, if so, access
is permitted only to a small number of trusted individuals.
24.1.1.6 Determine whether the auditing mailbox(es) are routinely monitored so they
do not run out of disk space.
24.1.1.7 Determine whether Exchange Server Operations Management regularly runs
the Microsoft Exchange Best Practices Analyzer tool, which scans the
Exchange Server Environment and reports on overall “health” of Exchange
servers and topology.
Run Microsoft Exchange Best Practices Analyzer from the EMC and obtain
explanations for any variances.
24.1.1.8 Determine whether Exchange Server 2010 Operations Management
regularly runs the Microsoft Exchange Server User Monitor tool for real-time
analysis of current client usage patterns, both for capacity planning and to
identify users with excessive use patterns (which could indicate downloading
of the enterprise’s intellectual property).
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
24.2 Ethical Firewalls
Audit/Assurance Objective: E-mail systems are separated as needed to protect the
confidentiality of e-mails.
25. Ethical Firewalls
Control: An ethical firewall is in place to block e-mails between one part of the
enterprise and another. If this is appropriate to the enterprise being audited, X
Exchange Server 2010 is configured with appropriate rules to enforce such
requirements, if needed by the enterprise.
25.1.1.1 Determine whether the entity being audited has any restrictions on e-mail
communication among user department, companies or groups.
25.1.1.2 If such a restriction is required between entities (e.g., traders and analysts in
financial services, or contractors/employees and a competitor), determine
whether suitable rules have been deployed to enforce the ethical firewall.
26. NETWORK
26.1 Network Design
Audit/Assurance Objective: The network utilized by the Exchange Server 2010 environment is
protected from unauthorized access and intrusion opportunities are minimized.
27. Server Network Location
Control: Servers that host Exchange Server 2010 are located in a suitably protected DS5.12 X
subnet.5
27.1.1.1 Obtain a network schematic for the Exchange Server 2010 sites within the
audit scope.
5
For a simplified Exchange Server architecture, see Appendix II: Exchange Server 2010 – Server Roles.
©2011 ISACA. All rights reserved. Page 36
Microsoft® Exchange Server 2010 Audit/Assurance Program
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
27.1.1.2 Determine if the Exchange Server 2010 network segments are adequately
secured, i.e., not directly accessible from the Internet, behind the appropriate
firewall(s), within the scope of deployed Intrusion Detection/Prevention
systems.
28. CONTINGENCY PLANNING
28.1 Contingency Planning
Audit/Assurance Objective: Essential Exchange Server 2010 services are included in the IT
contingency plan/business continuity plan (BCP).
29. Contingency Business Impact Analysis
Control: Exchange Server 2010 applications are included in the business unit’s business DS4 X
impact analysis (BIA).
29.1.1.1 Obtain the BIA for the business units operating Exchange Server 2010 sites.
29.1.1.2 Determine if the BIA considers the Exchange Server 2010 site in its
continuity analysis.
30. Contingency Plan for Exchange Server 2010 Applications
Control: Exchange Server 2010 applications are included in the contingency plan based DS4 X
on its risk profile.
30.1.1.1 Obtain the BIA.
30.1.1.2 Determine if the Exchange Server 2010 applications are rated as high-
priority for restoration.
30.1.1.3 Verify that the continuity plan includes interim processing and restoration
plans.
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
30.2 High Availability Audit/Assurance
Audit/Assurance Objective: The Exchange Server 2010 environment can deliver high-
availability—typically 99.99% uptime or better—to users, given the mission-critical
nature of e-mail communications.
31. Control: The Exchange Server 2010 upgrade or deployment included specific design goals for high- DS4
availability. X
PO2.1
31.1.1.1 Obtain the upgrade or deployment plans for a sample of Exchange Server
2010 sites.
31.1.1.2 Determine whether the plans specifically included design criteria to support
high-availability and that the level chosen (e.g., 99.99% uptime) is
appropriate to the business environment.
31.1.1.3 Obtain a copy of the high-availability architecture and determine whether
the Exchange Server 2010 Database Availability Group (DAG) design is
appropriate to provide rapid and automated failover and recovery of all the
Exchange Server 2010 databases.
31.1.1.4 Obtain and review a copy of the failover and recovery test plan to determine:
a) That it covers all databases in the defined DAG, and
b) That the plan is required to be tested regularly in full disaster simulation
mode.
31.1.1.5 Obtain and review a copy of the last Exchange Server 2010 failover and
recovery test. Determine whether the results of the test were analyzed and
reported to senior management and that appropriate remediation has been
completed of any shortcomings or weaknesses in the test results.
31.1.1.6 Obtain and review a copy of the high-availability architecture and establish
that failover copies of databases are not held on the same physical servers as
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
the original databases.
31.2 Backup and Recovery
Audit/Assurance Objective: The Exchange Server 2010 backup and recovery schedule is
appropriate to protect the enterprise’s investment in a reliable messaging service.
32. Backup and Recovery DS11.2
A backup and recovery process is documented and addresses contingency needs. X
DS11.5
32.1.1.1 Obtain and review a copy of the enterprise’s disaster recovery plan (DRP)
and determine whether service levels have been taken into account, namely
all of the following:
Service level agreements (SLAs) which define how long e-mail can be down before service
has to be restored;
Recovery point objectives (RPOs) which determine how much data can be lost, measured in
minutes
Recovery time objectives (RTOs), which determine the maximum time allowed for
recovering each service, measured in minutes
In addition, recovery after any of the following need to be taken into account:
- Loss of a single message
- Loss of a single mailbox
- Loss of a database server
- Loss or corruption of a mailbox database
- Loss or corruption of a public folder database (if public folders are
deployed)
COSO
Reference Issue
Hyper- Cross- Comments
link reference
COBIT
Audit/Assurance Program Step Cross-
CommunicationInformation and
Control Environment
Control Activities
Risk Assessment
reference
Monitoring
33. Determine whether Microsoft System Center Data Protection Manager (DPM) 2010 is deployed and
used for automated backup and recovery.
34. Obtain and review a copy of the last recovery test and determine whether all of the above were
tested and whether all deficiencies in the tested recovery process have been fully remediated.
35. Determine whether backup copies of the Exchange Server 2010 databases are:
Maintained in a secure offsite facility
Backup tapes or disks are encrypted before leaving the premises
Access to offsite backup copies is restricted to a small number of trusted
employees
Backup copies are carried to the offsite storage by a third party in a secure
fashion, e.g., armored vehicles, armed guards, etc.
Referenc
Assessed Target e
COBIT Control Objective Comments
Maturity Maturity Hyper-
link
PO1 Define a Strategic IT Plan
PO1.1 IT Value management—Work with the business to ensure that the enterprise
portfolio of IT-enabled investments contains programmes that have solid business cases.
PO1.2 Business-IT alignment—Establish processes of bi-directional education and
reciprocal involvement in strategic planning to achieve business and IT alignment and
integration.
PO2 Define the Information Architecture
PO2.1 Enterprise information architecture model—Establish and maintain an enterprise
information model to enable applications development and decision-supporting activities,
consistent with IT plans.
PO2.3 Data classification scheme—Establish a classification scheme that applies
throughout the enterprise, based on the criticality and sensitivity of enterprise data. This
scheme should include details about data ownership; definition of appropriate security
levels and protection controls; and a brief description of data retention and destruction
requirements, criticality and sensitivity. It should be used as the basis for applying controls
such as access controls, archiving or encryption.
PO4 Define the IT Processes, Organisation and Relationships
PO4.6 Establishment of roles and responsibilities—Establish and communicate roles and
responsibilities for IT personnel and end users that delineate between IT personnel and
end-user authority, responsibilities and accountability for meeting the organisation’s needs.
PO4.8 Responsibility for risk, security and compliance—Embed ownership and
responsibility for IT-related risks within the business at an appropriate senior level. Define
and assign roles critical for managing IT risks, including the specific responsibility for
information security, physical security and compliance.
PO4.9 Data and system ownership—Provide the business with procedures and tools,
enabling it to address its responsibilities for ownership of data and information systems.
Owners should make decisions about classifying information and systems and protecting
them in line with this classification.
6
The COBIT control objectives have been abridged to focus on Exchange Server 2010 concerns. Extended descriptions were maintained for critical objectives.
©2011 ISACA. All rights reserved. Page 41
Microsoft® Exchange Server 2010 Audit/Assurance Program
Referenc
Assessed Target e
COBIT Control Objective Comments
Maturity Maturity Hyper-
link
Referenc
Assessed Target e
COBIT Control Objective Comments
Maturity Maturity Hyper-
link
their activity on IT systems (business application, IT environment, system operations,
development and maintenance) are uniquely identifiable. Enable user identities via
authentication mechanisms. Confirm that user access rights to systems and data are in line
with defined and documented business needs and that job requirements are attached to user
identities. Ensure that user access rights are requested by user management, approved by
system owners and implemented by the security-responsible person. Maintain user
identities and access rights in a central repository. Deploy cost-effective technical and
procedural measures, and keep them current to establish user identification, implement
authentication and enforce access rights.
DS5.4 User account management—Address requesting, establishing, issuing, suspending,
modifying and closing user accounts and related user privileges with a set of user account
management procedures. Include an approval procedure outlining the data or system owner
granting the access privileges. These procedures should apply for all users, including
administrators (privileged users) and internal and external users, for normal and emergency
cases. Rights and obligations relative to access to enterprise systems and information
should be contractually arranged for all types of users. Perform regular management review
of all acounts and related privileges.
DS5.10 Network security—Use security techniques and related management procedures
(e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorise
access and control information flows from and to networks.
DS9 Managing the Configuration
DS9.1 Configuration repository and baseline—Establish a supporting tool and a central
repository to contain all relevant information on configuration items. Monitor and record
all assets and changes to assets. Maintain a baseline of configuration items for every
system and service as a checkpoint to which to return after changes.
DS9.2 Identification and maintenance of configuration items—Establish configuration
procedures to support management and logging of all changes to the configuration
repository. Integrate these procedures with change management, incident management and
problem management procedures.
DS9.3 Configuration integrity review—Periodically review the configuration data to verify
and confirm the integrity of the current and historical configuration.
DS11 Manage Data
DS11.2 Storage and retention arrangements—Define and implement procedures for
effective and efficient data storage, retention and archiving to meet business objectives, the
organisation’s security policy and regulatory requirements.
DS11.5 Backup and restoration—Define and implement procedures for backup and
restoration of systems, applications, data and documentation in line with business
Referenc
Assessed Target e
COBIT Control Objective Comments
Maturity Maturity Hyper-
link
requirements and the continuity plan.
DS11.6 Security requirements for data management—Define and implement policies and
procedures to identify and apply security requirements applicable to the receipt, processing,
storage and output of data to meet business objectives, the organisation’s security policy
and regulatory requirements.
ME2 Monitor and Evaluate Internal Control
ME2.1 Monitoring of internal control framework—Continuously monitor, benchmark and
improve the IT control environment and control framework to meet organisational
objectives.
ME2.2 Supervisory review—Monitor and evaluate the efficiency and effectiveness of
internal IT managerial review controls.
ME2.3 Control exceptions—Identify control exceptions, and analyse and identify their
underlying root causes. Escalate control exceptions and report to stakeholders
appropriately. Institute necessary corrective action.
ME2.4 Control self-assessment—Evaluate the completeness and effectiveness of
management’s control over IT processes, policies and contracts through a continuing
programme of self-assessment.
ME2.7 Remedial actions—Identify, initiate, track and implement remedial actions arising
from control assessments and reporting.
ME3 Ensure Compliance With External Requirements
ME3.1 Identification of external, legal, regulatory and contractual compliance
requirements—Identify, on a continuous basis, local and international laws, regulations,
and other external requirements that must be complied with for incorporation into the
organisation's IT policies, standards, procedures and methodologies.
ME3.2 Optimisation of response to external requirements—Review and adjust IT policies,
standards, procedures and methodologies to ensure that legal, regulatory and contractual
requirements are addressed and communicated.
ME3.3 Evaluation of compliance with external requirements—Confirm compliance of IT
policies, standards, procedures and methodologies with legal and regulatory requirements.
ME3.4 Positive assurance of compliance—Obtain and report assurance of compliance and
adherence to all internal policies derived from internal directives or external legal,
regulatory or contractual requirements, confirming that any corrective actions to address
any compliance gaps have been taken by the responsible process owner in a timely manner.
ME4 Provide IT Governance
ME4.1 Establishment of an IT governance framework—Define, establish and align the IT
governance framework with the overall enterprise governance and control environment.
Report IT governance status and issues.
Referenc
Assessed Target e
COBIT Control Objective Comments
Maturity Maturity Hyper-
link
ME4.3 Value delivery—Manage IT-enabled investment programmes and other IT assets
and services to ensure that they deliver the greatest possible value in supporting the
enterprise’s strategy and objectives. Ensure that the expected business outcomes of IT-
enabled investments and the full scope of effort required to achieve those outcomes are
understood; that comprehensive and consistent business cases are created and approved by
stakeholders; that assets and investments are managed throughout their economic life
cycle; and that there is active management of the realisation of benefits, such as
contribution to new services, efficiency gains and improved responsiveness to customer
demands.
This spider
graph is an
AI1 Identify Automated Solutions
example of
the
ME4 Provide IT Governance
5 AI3.3 Infrastructure Maintenance assessment
results and
maturity
4 target for an
Exchange
ME3 Ensure Compliance With External Requirements AI7 Install and Accredit Solutions and Changes
3 Server 2010
assessment
1
ME2 Monitor and Evaluate Internal Control PO1 Define a Strategic IT Plan
Assessme
DS11 Manage Data nt
PO4 Define the IT Processes, Organisation and Relationships
Target
DS9 Managing the Configuration
DS5 Ensure Systems Security
1. Client Access Server enables access to mailboxes through a variety of clients: Outlook, Outlook Anywhere, Outlook Web App, POP3, IMAP4. It also hosts Exchange Web
services, such as the Autodiscover and Availability services.
2. Hub Transport Server handles mail flow inside the Exchange organization, applies transport rules and journaling policies, and delivers mail to recipients’ mailboxes.
3. Mailbox Server hosts mailbox and public folder databases, generates the offline address book (OAB), and enforces email address policies and managed folders.
4. Edge Transport Server, as the name suggests is an Internet-facing server that routs mail into and out of the Exchange organization. It also performs anti-spam and antivirus
filtering, and applies messaging security policies to messages in transport. The Edge Transport Sever must be installed on its own server in the perimeter network and outside
the Active Directory forest.
5. Unified Messaging Server provides connectivity between Exchange Server and the internal telephony system (PBX), allowing users to access their mailboxes from
telephones and also to receive voicemail messages in their Exchange Server mailboxes.