How and when to evaluate your LSP
Imagine you just moved across the country for an exciting new job opportunity. It’s going well, and you’re starting to put down roots in your new home. Sooner or later, you’ll start getting around to some practical necessities, like finding a primary care physician.
When it’s time to find a new doctor, how would you pick a new one? You’d likely ask for a recommendation and look at reviews. You’d also have a baseline of trust knowing the doctor was board and state certified to practice medicine. In regulated industries, like healthcare, mandatory licenses can serve multiple purposes. For patients, one is to facilitate trust with the provider.
By contrast, a language service provider (LSP) operates in an unregulated world. For companies seeking language services, the tricky part can be figuring out which LSPs they can trust. This issue becomes especially important for those working in regulated fields—like financial services, healthcare, and government agencies—where safeguarding private and privileged client information is a must.
If you’re about to use an LSP to translate sensitive information from one language to another, you might wonder, “do my files remain safe when they’re shared with my LSP?” While any company can claim safe storage and transmission of data, the best providers use processes and infrastructure that stand up to the scrutiny of third-party auditors and standards set forth by institutions like AICPA and ISO. If you’re searching for an LSP, here are some tips to keep in mind to ensure your service is trustworthy and secure.
When does safety matter?
For many, security is an afterthought—it never matters until there’s a breach. Some get lucky and never experience one. Others have their data compromised, are unprepared, and left scrambling. At that point, you’re in a poor position—being reactive, assessing exposure, and mitigating your losses.
For some, a breach can mean losing a client and having to rethink procedures and posture. For others, it can mean exposing your company to legal liability.
For prudent business owners, security is approached proactively. It’s a non-functional need—when there’s no data breach, the service you receive is identical, whether it was secure or not. That can make it an afterthought for many. However, in a price-sensitive market like language services, providers are frequently matching or beating a competitor’s prices. The question for you as a business is why wouldn’t you go with the secure option?
When it comes to translation, the shift to cloud-based service means language service providers aren’t just selling language services, they’re selling language services that run on technology. The security built into that tech is essentially your insurance policy.
Given that the need for security is inherent with any cloud-based service, a few questions should naturally be raised by any company in the market for language services. Are you involving your Business Information Security Officer (BISO) in the purchase of language services from an outside vendor? Most importantly, how can you go about vetting the security infrastructure of a language service provider? Let’s look at that last question in more depth.
How to vet language service providers?
When you’re choosing between a handful of language service providers for your organization, do you have the time and resources to audit each’s security infrastructure and processes individually? Maybe not, and that’s the case for most organizations.
Here’s the good news: there are independent organizations that provide widely-recognized reports and certifications on security and tech infrastructure. Two great examples are the SOC 2 Type II report, whose standards are set forth by AICPA, and the ISO 27001 standard, which is outlined by ISO and certified by a third-party auditor.
If your service provider isn’t holding one of these two reports or certifications, does it mean their services are inherently insecure? Not necessarily. However, if your service provider has gone through the vetting process for either, they are sending a very clear signal—safeguarding client data is something they take very seriously.
What is a SOC report?
System and Organization Controls attestation reports—commonly referred to as SOC reports—are verifiable auditing reports performed by a Certified Public Accountant (CPA) as designated by the American Institute of Certified Public Accountants (AICPA). Within SOC reporting, there are SOC 1, SOC 2, and SOC 3 reports, along with Type I and Type II versions of each report.
While a SOC 1 report concerns itself with mainly financial reporting, a SOC 2 report has a broader scope, touching upon security, confidentiality, and privacy, among other topics. The type for either is an indicator of time, with Type I pertaining to auditing at a specific point in time, and Type II encompassing an audit occurring over a minimum of a six month period.
For the purposes of evaluating a provider’s security, the most relevant of the bunch is the SOC 2 Type II report—its broad scope encompasses security and gives insight into ongoing practices.
Using a SOC 2 Type II Report to evaluate your LSP
A SOC 2 Type II report will help your organization understand an LSP’s “oversight of the organization, vendor management programs, internal corporate governance and risk management processes, and regulatory oversight.” Let’s translate that into plain English: reviewing a provider’s SOC 2 Type II reports means you’ll be given a detailed overview of how your data is stored, used, and safeguarded across every touchpoint.
When your files are sent over to your LSP, they need to be then provided to the actual translators, editors, and proofreaders performing the work. All major LSPs work with a blend of in-house linguists and freelance specialists covering certain languages and subject matters. When you send your files to be translated, those files will likely need to be shared with individuals outside of the LSP’s organization. Without the right infrastructure in place, the further your files travel from the LSP’s locus of control, the more you’re at risk for a data breach.
When evaluating a service provider, getting a SOC 2 Type II report into the hands of your BISO or IT team will allow you to quickly assess risk and security posture without the time or budget required for your own audit. However, a SOC 2 Type II report isn’t the only way for a service provider to attest security practices. Let’s look at another standard you can use when evaluating your LSP: ISO 27001.
ISO 27001: What does it take to be compliant?
The International Organization for Standardization (ISO), is an independent, non-governmental organization dedicated to creating standards to facilitate safe, reliable, and good quality international trade. Over 20,000 standards exist, covering everything from manufactured goods, to technology and agriculture.
For the purposes of choosing an LSP, there are few standards you may want to consider. ISO 9001 dictates quality management standards and ISO 17100 encompasses requirements for translation services. However, for the purposes of this article, the most relevant standard for information security management is ISO 27001.
Implementation of ISO 27001 guidelines requires a company’s management to do the following:
- Thoroughly examine an organization’s information security risks, accounting for all threats, vulnerabilities, and impacts
- Outline information security controls to address acceptable risks and risk treatment
- Implement a comprehensive management plan to ensure ongoing security needs are met
While some of those can sound broad and vague, there are some important takeaways as a client. If you’re using a vendor that follows ISO 27001 guidelines, it doesn’t mean you’ll never have any issues with data breaches—in the ever-changing world of software, new vulnerabilities are frequently found and exploited by malicious actors. However, implementation of ISO 27001 guidelines means that a company will already have a strong understanding of their vulnerabilities, policies in place to reduce exposure to risks, and procedures allowing them to quickly act and mitigate losses should a breach occur.
Choosing an LSP: Making the right call
There are many considerations to take into place when choosing an LSP. Do they assign dedicated project teams to your account, ensuring consistent work? Do they work frequently with your target and source languages? Do they have the right subject matter experts that can use the correct terminology for your field?
Whether the LSP offers security is just one of many considerations you’ll need to evaluate when choosing. Our recommendation: put security first. Why? It’s a conversation that’s best had proactively. When you ignore the subject and are left approaching it from a reactive place, your deliverables, vendor relationships, and client relationships will hang in the balance.
At Protranslating, we are committed to the highest standards of work and security for our clients. To that end, we’ve developed our own secure client portal, are certified for ISO 9001:2015 and ISO 17100:2015, follow ISO 27001 guidelines, undergo annual SOC 2 Type II auditing, and are ITAR compliant. If you want to talk about how security can impact and improve the quality of your language services, contact us today.