A server-side agent on an Exchange server can perform the same policy enforcement. The server-side agent is both complementary and a valuable alternative to the client because it can enforce the e-mail policies designed for the client. Most companies will need to run the server-side agent anyway because it enforces policy when users access e-mail from another PC using Web mail.
Building policies and validating them was complex, however. We used the APM Administration console to build policies based on an organizations directory-based infrastructure. We could create policies at the group or individual level, with individuals inheriting policy attributes from group policy.
We liked how APMs policy framework let us build policies for inbound and outbound e-mail as well as for Web sites based on seven kinds of control triggers, such as recipients, text search and attachments. APM provides at least three triggers of each type in a policy, meaning that a company could specify as many as 30 control triggers for outbound e-mail from a group of users.
Given the large number of triggers, writing each policy is tricky. For each one, we had to determine both the trigger and an action. The trigger specifies not only the unacceptable recipients and message content but also exceptions that countermand these positive indicators. For example, we set up a policy that would block outbound e-mail based on a restricted stock list, unless the e-mail contained terms that would add the qualification that the stock was on a restricted list.
APM allowed us to create as many as 10 actions for each trigger. A trigger will call only a single action, but the options within actions are flexible.
One thing missing in the APM Administration tool is an easy way to copy an existing policy to another group. APM does have tools for migrating policies using XML as well as some policy libraries in both document and XML format, but they arent part of the main application.
APM has policy libraries to help companies more quickly address regulatory requirements. Companies will still need to tune the policies for some regulations, such as building and maintaining restricted lists or blocking communications across internal boundaries.
Companies must plan to allocate resources to managers so they can understand process and regulations to help build the policies. With a few days worth of training, staff charged with ensuring compliance should be able to write policies.
Auditors can use APMs DMC (Data Management Console) to search the APM data store for trigger events and then perform audit functions on those events.
We found DMC provided good tools for managing searches, including the ability to save both simple and complex searches. DMC also exposes the underlying SQL query for administrators who want to capture results in another application, such as Business Objects S.A.s Crystal Reports. APM supports Microsoft SQL Server and Oracle Corp. databases.
We believe auditors will be able to quickly move through a list of trigger events because the DMC interface has buttons for approving, auditing or creating e-mail based on such events .
In addition, when viewing the first trigger event in a search, we could specify that all subsequently viewed trigger events be automatically audited, saving a tedious navigation step.