Strengthening Your FormAssembly Experience: Essential Security Measures

FormAssembly is committed to providing a secure platform for your data collection needs. But did you know there are additional steps you can take to further fortify your FormAssembly instance? Whether you’re a current customer or considering FormAssembly as your data collection solution, these best practices – written by FormAssembly’s Director of Security and Compliance David Scovetta – will bolster your security posture and protect your valuable data.

Hardening your FormAssembly instance

• Review User Groups
  • Check group permissions and make sure only the necessary ones are enabled for specific members.  
  • Documentation: https://help.formassembly.com/help/user-groups

• Review Members
  • Check permission packages assigned per member and make sure only the necessary permissions are provided.  
  • Deactivate members’ accounts who no longer need access or part of the company 
  • Review administrators and ensure they’re appropriately privileged
  • Documentation: https://help.formassembly.com/help/user-groups#user-group-configuration 

• Review User Group Logs
  • Check for logs that updates the member or their permissions and make sure every action were authorized by your company.
  • Documentation: https://help.formassembly.com/help/user-groups#user-group-logs 

• Configure Password Expiration, use unique passwords, and monitor breaches
  • Password expiration can be a strong measure to protect accounts. And if you’re complying with PCI DSS, section 8.3.9 requires you to change account passwords at least every 90 days. Ensure staff use unique passwords per site to protect against credential stuffing attacks. Several sites such as haveibeenpwned offer free domain-level account monitoring for recent exposures.
  • You can configure this in: Administration > Settings > Application.

• Review Registered Third-Party Applications
  • Check for the list of registered third-party applications and ensure that only the authorized ones are listed. 
  • Documentation: https://help.formassembly.com/help/registering-3rd-party-apps-for-enterprise-admins

• Enable Secure File Scan
  • Check all incoming file upload field attachments on submitted forms and workflows to avoid receiving malicious files.
  • Documentation: https://help.formassembly.com/help/secure-file-scan

• Enable Multi-Factor Authentication
  • Multi-factor authentication (MFA) is any additional method of authenticating a user to an application other than the standard username/email address and password combination. This is essential to prevent the complete takeover of an account that has been compromised.  
  • Documentation: https://help.formassembly.com/help/multifactor-authentication

• Utilize Security Assertion Markup Language (SAML) for Authentication
  • SAML can be used to securely access your FormAssembly account and forms. This method prevents credential stuffing attacks, brute forcing of credentials, and credential sharing. 
  • Documentation: https://help.formassembly.com/help/saml-authentication-setup

• Configure Session Termination for Inactive Users
  • Ensure that user sessions terminate after a reasonable period. If you’re complying with PCI DSS, section 8.2.8 requires you to terminate the session of an inactive account for more than 15 minutes.
  • You can configure this in: Administration > Security > Application.
  • Documentation: https://help.formassembly.com/help/inactive-user-logout

• Configure Data Retention – Purge Responses
  • FormAssembly offers the ability to purge form responses, which means permanently deleting response data from your instance. 
  • Documentation: https://help.formassembly.com/help/purge-settings-and-logs#purge-completed-form-responses 

• Configure Field-Level Security
  • If you are storing Personally Identifiable Information (PII), Protected Health Information (PHI), or Sensitive Personal Information (SPI), ensure to assign them the appropriate sensitive data type to enable data masking. 
  • Documentation: https://help.formassembly.com/help/sensitive-data#mark-fields-as-sensitive

• Regularly perform Privacy Impact Assessment
  • Exercise due diligence by regularly performing a privacy impact assessment for each form. This helps your company identify if you’re collecting unnecessary data. It’s always better to collect only the data you can protect to avoid privacy-related penalties in case of a risk. Assess the records being ingested by your forms and ensure your privacy policies accounts for this.

• Implement Input Field Validation
  • FormAssembly highly recommends implementing input field validation. There are built-in rules based on the input field type, but you can also create custom ones using RegEx. This helps prevent injection attacks – 
  • Documentation: https://help.formassembly.com/help/340490-input-validation-rules

• Review Enabled Connectors
  • It is recommended to review the enabled connectors and its configuration to ensure that data is only being processed and shared with intended third-parties. 

• Review Form Collaborators
  • It is recommended to review the list of form collaborators to ensure that only authorized users can read responses or edit forms.

Safeguarding Your Data: A Shared Responsibility

By implementing these recommendations and staying informed about the latest security threats, you can create a robust defense against unauthorized access and protect your sensitive information. If you’re interested in learning more about FormAssembly’s security and compliance attainments, you can view and request documentation in our Trust Center.

FormAssembly is dedicated to providing you with the tools and resources you need to maintain a secure environment. Together, we can ensure that your data collection processes remain safe and compliant.