Security

Passwords and encrypted URLs

All users have to enter a password, or have access to an encrypted URL, to access their part of the online submissions system. Encrypted links and passwords are only ever sent to the email addresses of registered users.

Newly registered users receive a random temporary password emailed to the address entered on their registration form. The system requires them to change the temporary password the next time they log in.

The same security checks are in place for users who forget their passwords. The system prompts creation of a new random temporary password through the 'Unknown/Forgotten Password?' link on the login page. After accessing this link the user is emailed a new password and required to update it the first time they login.

Users' passwords are kept encrypted in a secure SQL database, which is separate to the operating system and protected by an industry standard firewall. The system does not record an un-encrypted version of the users' passwords.

The encrypted URLs which our system uses have a checking mechanism which will reveal any alteration made by tampering with the URL. This ensures that users can only access the information that is meant for them.

Other security measures

Hacking in by guessing passwords through multiple attempts is prevented because the system locks people out after several failed attempts to log in. When an authorised user is logged in, cookies are used to track that user's approved level of access. 'Roles' are determined from three pieces of information: the user identity, the manuscript identity, and the type of user (author/reviewer, editor, staff). This allows the system to have a fine-grained security approach. For example, an author on one manuscript may be a reviewer on another manuscript. The system will provide author-level access for the authored manuscript and reviewer-level access for the reviewed manuscript.

Back-up procedures

We have a three-tier back-up procedure: the data and files on our database are backed up every 15 minutes and our web servers and file servers are backed up daily. Mirror copies of our backups are kept in two different locations to allow for disaster recovery.

Reviewers' access to manuscripts after review

Generally in paper-based peer review systems the reviewers are asked to destroy or return the manuscript after they have reviewed it. The same restriction is in place on our on-line tracking system. After submitting their review the reviewer no longer has access to the PDF through our system.

Viruses

All manuscripts are scanned for viruses using industry standard virus scanning software as part of the submission process. The virus software is updated daily to ensure maximum protection.