Keep Your Forms secure

As the City, we handle personal and confidential information, and our residents entrust us to keep that information safe. Here’s how you can make sure your forms maintain resident privacy and security

What information is considered sensitive?

Social Security Numbers must always be encrypted, as well as payment information.

Personal information is sensitive, especially when one form collects a lot of information about an individual, in this case the amount of data collected by one form makes it more sensitive than then one piece of data alone.

IT Help Desk forms and building maintenance requests may collect details about our infrastructure that we do not want to share with the public, look for context to determine the potential harm of the data getting into the wrong hands.

Forms and URLs

If your form uses https:// then data submitted is encrypted, but what happens next ? The data goes somewhere, how safe is that place ?

Data is saved to the form platform, access should be restricted. Everyone should be required to login or use a password to view the form data saved to the platform. Password protected data is only as secure as the password used, consider using a password phrase. Longer passwords are more secure.

What about URL sharing ?

Some platforms create a URL to “SHARE” -- this URL may allow anyone to view the data, how safe is this URL ? Look at the length of the URL for how long it is and how random the pattern of letters and characters.

Which URL would be easiest to hack ?

  • MyFormPlatform.com/myform/ID=123355

  • MyFormPlatform.com/myform/09-23-19/123413403uskyr

  • MyFormPlatform.com/myform/auevuqn38m38n230vn10vn30vn10vn18nqd239ena9dn39vnq03knv0na0dkn

Note: The longer the URL, the better.

Be careful before using the URL :

  • If another layer of defense is required to view the URL. Is a login required ? Can the URL be password protected ? Use another layer of defense if possible.

  • If an attachment is uploaded, does it automatically get a URL assigned? Check when your form application may “SHARE” something you really don’t wish to share.

  • If an attachment uploaded contains sensitive information, determine if it can be encrypted on the form platform.

Forms and Email

  • Email, by default is not encrypted. Your form may use https:// to collect data but the moment an email is sent all the data goes into plain text across the internet, it is not encrypted.

  • Be aware of what data is going into an e-mail, and when e-mails are generated by your form platform.

  • Determine if another way to share data may be more secure.

  • All form platforms should allow you to control when an email is sent, and what data it contains.

  • Form platforms my auto-generate emails, know when this happens so you can disable the feature if you need too.

  • Do not send social security numbers or payment details in emails, they need to be encrypted.

Forms without https://

  • A form without a https:// is not going to encrypt data submitted.

  • Do not collect personal information without https://

PreviousBe mobile-friendlyNextTest and improve your forms

Last updated