We require that each user change their password every three months. We also have requirements as to the length and complexity of the password. For internal meetings that require special security considerations, we only use Microsoft Teams due to the meeting tool’s enhanced security provisions.
During and upon receipt of the assignment from the client
Dedicated and secured email addresses are used to receive job requests from clients. The shift lead downloads the attached file and uploads it to the translator’s document library in SharePoint. Only the shift lead and the translator to whom the translation was assigned have access to the particular document. The downloaded file is deleted immediately after uploading.
During the translation process
After receiving the alert for a new job (via an email alert generated by the portal with the sole purpose of notifying the translator of a pending assignment), the translator logs into the SharePoint portal using the unique account and password that meets complexity requirements through a secure https connection. The connection can be tracked through the firewall log. The translator can then download the file for import into his or her translation software such as SDL Trados Studio.
During delivery of the translated text to the client
The shift lead downloads the completed translation from the portal and delivers the translation to the client as an email attachment. Should the client have a preferred delivery protocol such as direct upload to their FTP server or delivery via WeTransfer or similar service, we can do so. The files are only stored in the portal and email server. No disclosure is allowed during this process. All downloaded files must be deleted immediately after use.
After delivery of the translated text to the client
All translated documents are stored and archived in the portal. No one is allowed to modify or delete them. They can only be used as reference for consistency and accuracy as required by clients.
Different permission levels are in place to protect the security of information from clients. Farm-level, site-level, library-level and document-level permissions are all carefully designed and implemented to ensure limiting of disclosure of and access to information to assigned stakeholders.
Windows Firewall and Microsoft antivirus applications are in place to protect traffic between servers and personal computers.
In addition to the technical measures, all translators must abide by the non-disclosure agreement (NDA) which they have signed as part of the conditions to become a Pronto Translations freelancer. The NDA contains language that binds the translator in protecting information security for both Pronto and the client.
Should a certain document be cited as requiring “heightened” confidentiality, we apply a higher level of security to the receipt, handling and delivery of the document through our dedicated portal. A unique URL is used for this portal. The URL is revealed to the small group of individuals who are selected to deal with any assignment that is designated as “heightened” confidentiality. Stricter access permissions are granted to each file in the portal. All translation and editing work must be processed and completed in the portal as no downloading is permitted. For these assignments only, as a further security step, no translation memory will be created.
General measures for system security
The following actions all Pronto employees have to ensure in order to prevent unauthorized intrusions or introduction of malware or other harmful software into our systems:
Deployment of antivirus software on all systems and devices
Deploying of anti-malware on all systems and devices
Periodic hardening of all operating systems
Implementation of perimeter network segments and network security zones
Required use of complex passwords for access to all systems including all software applications
Required multifactor authentication
Encryption of file systems, disks, and individual documents
Updating of operating systems as soon as upgrades and security patches have been issued by the vendor
Scheduled port scans
Scheduled scans for vulnerabilities
Pronto has policies and programs in place to manage online security risks. As part of the risk management process, the following tasks are undertaken per a fixed, periodic schedule:
Identify threats and vulnerabilities to the environment
Report risks across the cloud environment
Address risks based on impact assessment and the associated business case
Test potential remediation effectiveness and calculate residual risk
Manage risks on an ongoing basis
Identity and access management
When users are working on different devices from any location and accessing apps across different portals, it is critical to keep the user’s identity secure. We use identity to control access to any services from any device, as well as to gain visibility and insights into how our data is being used.
Some key considerations for identity and access management are:
Periodically re-evaluate how to more securely automate the identity provisioning by using the current on-premises infrastructure.
Single sign-on (SSO)
Evaluate the organization’s requirement for SSO and how to integrate it with current apps.
Enforce Role-Based Access Control (RBAC)
Pronto carefully considered and frequently reviews our endpoint security once a cloud environment had been adopted, as the endpoints became exposed to more external connections and an increasing number of applications at different portal sites were accessed.
Users are the main target of the attacks, and endpoints are the primary objects that are touched by users to consume data. The endpoint can be the user’s workstation, smartphone, or any device that can be used to access cloud resources.
We follow the security best practices listed below when planning for endpoint protection:
Keep endpoint software up to date
Use automatic deployment to deliver definition updates to endpoints
Control access to the download location for software updates
Ensure that end users do not have local administrative privileges
Use the principle of least privileges and role-based administration to grant permissions to users
Monitor endpoint alerts promptly
When the subject is cloud security, the ultimate goal is to ensure that the data is secure no matter where this data is located. The data goes through different stages; the stage depends on where the data will be located at a certain point in time.
Data at rest in the user’s device
In this case, the data is located at the endpoint, which can be any device. We always enforce data encryption at rest for company-owned devices and user-owned devices.
Data in transit from the user’s device to the on-premises private cloud
When data leaves the user’s device, we ensure that the data itself is still protected. Many technologies can encrypt the data regardless of the location. It is also imperative to ensure that the transport channel is encrypted.