Setting up 'Intranet' forms

CMS Lite Forms are not currently available on the intranet, but there is a way to prepare forms intended for internal (staff) use.

"Security by obscurity"

This method of producing an internal use or intranet form provides no active security. Keep in mind that:

• Any member of the public could access and submit the form if they have the URL of the form.
• Any member of the public could see the form in the results of some search engines.

This method is best used for low-risk forms. Examples include:

• A form that would be provided to a member of the public through an FOI request.
• A form that does not display senstive information in the form itself.
• A form that is not connected to sensitive information resources.

Sensitive information is anything that could be used to provide insight or access to government systems and personnel for hacking, phishing or similar purposes. Examples include things like IDIR IDs, employee numbers, server names and non-public URLs. You can ask for these in the form through text fields, but including them in selection lists or connecting to a database to look up this information would present a risk. If you're unsure of risk, check with your Ministry Security Officer.

Suitable use cases

There are a number of situations where using the public version of CMS Lite Forms may be suitable and worth considering.

• Cross-ministry forms. Since access to many individual intranets is controlled by defined user groups, forms intended for use across government would need to be served from a location all employees have access to. If you're a central office providing service to all ministries and employees, or a large cross-section, using the public version of CMS Lite Forms may be appropriate.
• Broader public sector (BPS) forms. If you work with agencies and organizations outside of government, you may have forms intended for their use. Using the public version of CMS Lite Forms can mean you don't need to set up or maintain security such as IDIR or BCeID for these users.
• Contractor or other limited-audience forms. Similar to the BPS forms, it may be useful for some forms to be available to individuals outside government's security zones such as contractors or a very limited public audience where maintaining user authentication is not practical.
• Portal forms. Many ministries use various service desk and workflow tools like JIRA, ServiceNow, Remedy and others. These may offer their own forms portals like GDX's Client Service Portal that require individual users be set up with access and often with a limitation of how many. If you're not concerned about full integration with things like automatic assignment and routing, labelling, categorization or prioritization, then the public version of CMS Lite Forms may be suitable to allow more users to request services without consuming limited licenses.

How to set up

Setting up one of these forms uses the same workflow as normal, with a few exceptions.

When setting up the form page, use the following settings:

• Select the "Hide From Navigation?" option
• Select the "Exclude from Search Engine?" option

Also consider the following options:

• Use metadata that reflects the difference for this form such as:
  • Security Classification = "Medium"
  • Security Label = "Medium Sensitivity"
  • Audience = "Provincial Government" (or others if appropriate)
• If you DO NOT publish the form page, it'll only available in the QA environment which is restricted to individuals with an IDIR
  • Remember to add the "qa." into the URL when creating links to the form