Provide feedback on this document
Visit the Audit Tools and Techniques Knowledge Center community
Visit the Audit Guidelines Knowledge Center community
While email may be the functionality that most users identify when thinking of Microsoft Exchange, the pairing of Exchange with clients such as Microsoft Outlook has broadened Exchange’s functionality beyond email. These other functions include scheduling meetings, and creating task lists or contact records. Since the Exchange Server is the platform supporting these functions, consideration should be given to the server’s security and availability, as well as its support of the organization’s compliance initiatives. In its Microsoft Exchange Server 2016 Audit/Assurance Program, ISACA addresses server availability and meets the following audit objectives.
Scope: The Microsoft Exchange Server 2016 Audit/Assurance Program includes all servers running Exchange 2016 and all systems relaying email through the Exchange 2016 environment.
Objective: The primary purpose of this audit program is to assist IT auditors in their assessments of deployments of Microsoft Exchange Server 2016. Accordingly, this audit program takes into consideration assurance that:.
- All issues associated with migration from earlier versions of Exchange have been identified and resolved.
- Role based access controls (RBAC) are deployed in the Exchange Server 2016 environment.
- Consideration has been given to the need for (and techniques to achieve) litigation hold on specified mailboxes in the case of legal e-discovery.
- Encryption standards are in place to meet compliance expectations of regulations such as the Health Insurance Portability Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI DSS).
- The Exchange Server environment has a Database Availability Group (DAG) design that can support high availability at a level that supports the entity’s business objectives.
As an IT audit and assurance professional, you are expected to customize this document for your unique assurance process environment. Use it as a review tool or starting point to modify for your purposes, rather than as a checklist or questionnaire. Keep in mind that to use this document for maximum effectiveness, you should hold the Certified Information Systems Auditor (CISA) designation or have the necessary subject matter expertise to conduct your assurance process while under the supervision of a professional who holds the CISA designation.