Restricted Contract System

Later this year ICPSR will be releasing a major new service: the RCS or Restricted Contract System. This is a suite of several software systems that enable researchers to download restricted-access data. We'll use this for content that is too sensitive for the conventional download system on the web site, but not so sensitive that it needs to reside in a real (or virtual) data enclave. It will replace the current mechanism whereby researchers download user agreements, fill them out in ink, and fax or mail them back to ICPSR, receiving a CD in the mail a week or so later. Instead researchers will complete the contract online, and then be able to download the data to their workstations via a secure download mechanism, using two-factor authentication (2FA) when required.

For very sensitive data where a written security plan would ordinarily be required, our system will instead make use of three components: (1) a network scan of systems that will be used to store or analyze the data; (2) a self-conducted audit of the same systems using freely available software tools; and (3) an on-line survey asking basic, non-technical questions. Our intent is to streamline the system significantly, but at the same time raise the bar on the level of system security actually achieved.

We expect to wrap primary development at the end of the summer, and then test the system with specific projects in the fall. We'll then open it up for a bit more testing late in the year, and then perhaps launch the product officially in early 2010.