Across White Paper

Information Security in Translation Processes

Enterprises do a lot to protect the data on their servers. For example, they implement backup routines, firewalls, as well as declared processes and sets of rules. However, as soon as documents are sent to external service providers for translation and leave the company, information security is no longer guaranteed unless suitable measures are taken. The associated risk is often underestimated. This white paper describes how enterprises can protect information from manipulation, theft, loss, and unwanted disclosure to unauthorized parties.

As a matter of principle, information such as product ideas, vision statements, patents to be registered, marketing campaigns, or business reports is very valuable for enterprises and can represent a competitive advantage or provide protection from damage. To guard such information against loss, theft, unwanted disclosure, or manipulation, responsible handling is a must for its creation, storage, processing, and forwarding. This information security is defined in ISO/IEC 20000:

"Information security is the result of a system of policies and procedures designed to identify, control and protect information and any equipment used in connection with its storage, transmission and processing."

Based on this definition, three goals can be derived, which can be achieved by means of various measures:

  • Availability: Hardware, software, data
  • Integrity: Prevent manipulation of data
  • Confidentiality: Protect sensitive data from unauthorized access

Categories of potential threats:

  • Force majeure: Fire, water damage, lightning
  • Organizational deficiencies: Missing responsibilities, insufficient access control
  • Human error: User errors, confusion of data
  • Technical malfunction: Power failure, hard disk error
  • Intent: Theft, manipulation, computer viruses

Within the company, measures that provide protection against such threats are usually defined within the scope of the compliance management. The translation of documents is associated with special challenges with respect to such measures. Nevertheless, information security is often neglected when it comes to the collaboration with language service providers.

Risk Gaps in Translation Processes

The translation workflow comprises distributed processes involving numerous parties that are not necessarily known to the customer. Usually, enterprises engage language service providers or freelancers for localization jobs. In turn, language service providers assign tasks to subcontractors or to freelancers. The data transfer often takes place via e-mail or FTP server and is therefore not only accessible to the actual recipient. Depending on the translation volume, the supply chain may extend to further sub-subcontractors or other service providers, all of which have different infrastructures and a different understanding of information security. Moreover, the integrity of the data can hardly be guaranteed in open systems. Yet, the industrial enterprise alone is responsible for ensuring the integrity, confidentiality, and availability of the information.

Enterprises are thus faced with the risk of information leakage to the public in an uncontrolled manner. During the development of a product innovation, associated information (e.g. instruction manuals or descriptions) is often translated at an early development stage in order to keep the time to market as short as possible. This approach can be dangerous if a competitor gains access to this information due to inadequate security measures. For example, this information could enable the competitor to launch a new product earlier. Copyright infringements cannot be asserted, as the owner is responsible for ensuring a secure supply chain. Caution is also required when translating texts such as stock exchange reports, in order to prevent insider trading. Even in the pharmaceutical industry and the financial sector, confidential content is often supplied to numerous translators in open document formats and in uncontrolled processes.

These typical processes expose information to unnecessary risks. A non-disclosure agreement – a common measure – is not sufficient and cannot guarantee fully secure data handling. Therefore, the customer should not only identify risks within his immediate sphere of influence and take measures against such, but should also make sure that compliant processes are applied by each individual party involved in the project and for every data handover. The risks can be mitigated by combining compliance policies with suitable technologies.

Organizational Measures

To ensure the availability of the data, the external language service provider should fulfill certain technical preconditions. For example, the contract may require him to keep backup copies at a remote location in order to protect the data from loss and to ensure uninterrupted power supply. Another approach is the central data storage directly at the customer.

To ensure data integrity, mandatory authentication should be implemented in the translation environment in order to prevent unauthorized changes. Moreover, a log should record who changed what, and when. Internal and external employees should regularly participate in training sessions for the systems employed and be able to furnish evidence of the skills acquired. This ensures correct use of the available technical functions. As soon as sensitive data leave the company for translation, it must be made sure that the external translator does not keep them on his computer after processing them.

This applies not only to the source texts and translations, but also to the translation memory and the corporate terminology. After all, conclusions concerning internal company details can easily be drawn from all these data. Information can be protected additionally by only making them available to a limited group of recipients and by concluding an agreement with the engaged language service provider in order to prevent them from being forwarded to other subsuppliers or freelancers.

Risk Mitigation

As organizational measures cannot adequately ensure the security of the information in distributed translation processes, it is necessary to make use of processes and tools to prevent abuse. This especially includes translation management systems with a translation memory and a terminology system as central components as well as project and workflow control utilities. Providing a closed operating and system environment for all language resources and translation processes in which all parties involved cooperate on a shared data platform and, ideally, with different access rights, these systems make sure that all processes remain transparent and data cannot be stored on local computers or leave the protected system in an uncontrolled manner. Thus, the data sovereignty and the responsibility for IT security measures remain with the enterprise. Some systems already enable the automation of certain process steps, thereby eliminating potential error sources from the outset. For example, automatic task assignment and distinct access rights for the individual parties involved reduce the risk of accidental transmission of translation data to unauthorized recipients. Moreover, translation memory and terminology data can be made available for a specific purpose and a limited period.

 

 

Information Security with a TMS

The Across Language Server is one of the leading translation management systems (TMS). It comes with a translation memory and terminology system. Moreover, it is equipped with other utilities to mitigate the described security risks and control projects and processes.

  • The TMS follows a closed approach and can only be accessed via login. The integrated rights system defines the processing possibilities for every user.
  • Texts can be edited only after a task has been assigned. Changes to the translation memory and terminology system can always be traced in the history.
  • The customer can define immutable rules for the translation process that must be observed throughout the supply chain.
  • Upon completion of the tasks or on a particular expiry date, the data are deleted in the supply chain.

Conclusion

For companies to avoid unnecessary risk when having sensitive information translated by external service providers, it is advisable to first define the information security requirements, if necessary with the assistance of external consultants. Thus, initial vulnerabilities can be eliminated by means of simple measures such as training. Moreover, it is advisable to use a closed environment, such as that provided by the Across Language Server. In this way, the customer retains the data sovereignty, all parties involved in the process are seamlessly connected via browser access, the processes are integrated and transparent, and a granular rights system protects sensitive data from unauthorized access or uncontrolled storage.

Ziele

  • Availability: Hardware, software, data
  • Integrity: Prevent manipulation of data
  • Confidentiality: Protect sensitive data from unauthorized access

Next White Paper

Complaints Management in Translation Processes

Read More

Efficient Processing of Translation Projects

Read More

Saving Potential in Technical Documentation

Read More

Terminology Workflows: Moving Toward Improved Consistency

Read More

The Principle of Translation Management Systems

Read More