S 2.483 Security aspects relating to the customisation of Exchange systems

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

When a Groupware system is customised, it is configured and modified in such a way that it is able to meet the specific requirements of the organisation. This task generally takes a lot of time. The following aspects must be taken into consideration from a security perspective:

Customising requires a corresponding concept to be drawn up describing the required target condition of the Groupware system as accurately as possible. This concept also defines the processes according to which customising will be performed. The concept must be coordinated with the information security management department.
Customising may only be performed by knowledgeable and trustworthy personnel.
Customisations of the Groupware system's configuration should not be performed directly in the productive system, but in a test environment.
Feedback processes allowing for changing of the concept during implementation must be designed within the framework of the customising process (see also S 4.162 Secure configuration of Exchange servers).

Microsoft Technet contains a detailed description of the specific implementation of the requirements from this safeguard taking version 2010 as an example. A customised installation of the Exchange Server 2010 is described in ""Perform a Custom Exchange 2010 Installation: Exchange 2010 Help". Subsequent modifications are described in "Modify or Remove Exchange 2010: Exchange 2010 Help".

Review questions:

Was a customising concept drawn up for Microsoft Exchange?
Is the Microsoft Exchange system customised by trained personnel?
Was it ensured that adaptations and modifications are not performed directly in the productive system while customising?