Need suggestions on an anonymous employee feedback system.

JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
One of the lines of business I support wants to have a mailbox or system set up to receive anonymous employee feedback. They don't want to use an outside survey vendor, they want an in-house solution. I can't meet all of the requirements because they also want the feedback to be anonymous from system/network admins and I know that's not possible because all traffic is "subject to monitoring" as is the case in most corporate environments. They prefer a mailbox solution, but the only way I can think that it could be anonymous to the people reading the emails is to have a shared mailbox that the users can select the email to be sent from.

Does anyone else have any other suggestions?
Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
Currently Working On: Python, OSCP Prep
Next Up:​ OSCP
Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework

Comments

  • keenonkeenon Member Posts: 1,922 ■■■■□□□□□□
    internally hosted feed back webpage
    Become the stainless steel sharp knife in a drawer full of rusty spoons
  • darkerosxxdarkerosxx Banned Posts: 1,343
    cyberguypr wrote: »
    OITGqHy.jpg

    Seconded. Don't reinvent the wheel. :)
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    keenon wrote: »
    internally hosted feed back webpage

    So I did something similar. I've got them on a customized SharePoint site and the info of who adds or modifies a document is hidden and only the designated admin can see that info (for non-repudiation purposes if someone leaves something nasty). They wanted a mailbox but decided this solution would be ok.
    cyberguypr wrote: »
    OITGqHy.jpg

    That was my first thought but I work in large corporate finance. People don't want to deal with paper if they can help it and want to exert as little effort as possible.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • MrJimbo19MrJimbo19 Member Posts: 49 ■■□□□□□□□□
    Google docs form can work for basic surveys, in the past I have worked for companies that used survey monkey.
  • darkerosxxdarkerosxx Banned Posts: 1,343
    I've only ever seen custom-built internal survey sites, but be careful about telling people anything submitted via their workstation is anonymous. It's not and it never will be.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    JoJoCal19 wrote: »
    So I did something similar. I've got them on a customized SharePoint site and the info of who adds or modifies a document is hidden and only the designated admin can see that info (for non-repudiation purposes if someone leaves something nasty). They wanted a mailbox but decided this solution would be ok.

    Just be aware that if anonymity is very important that author information can be found very easily using one of the web services. An advanced user could, for example, just visit http://sharepoint.company.com/site/_vti_bin/ListData.svc/ListName?$expand=CreatedBy and they would get either a JSON or XML representation of the list and it's contents including the author.

    Granted that is exceptionally unlikely to ever happen, but it could...
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    darkerosxx wrote: »
    I've only ever seen custom-built internal survey sites, but be careful about telling people anything submitted via their workstation is anonymous. It's not and it never will be.
    Just be aware that if anonymity is very important that author information can be found very easily using one of the web services. An advanced user could, for example, just visit http://sharepoint.company.com/site/_vti_bin/ListData.svc/ListName?$expand=CreatedBy and they would get either a JSON or XML representation of the list and it's contents including the author.

    Granted that is exceptionally unlikely to ever happen, but it could...


    Oh yea we've already told them that 100% anonymity was not happening, period. They even went so far as to request anonymity from sys/network admin, which we said would never happen. They seem to have accepted the limitations of using an internal solution, versus external.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
Sign In or Register to comment.