Assuring Homeland Security: Continuous Monitoring, Control & Assurance of Emergency Preparedness
Turoff, Murray, Chumer, Michael, Hiltz, Starr Roxanne, Klashner, Robb, et al., JITTA : Journal of Information Technology Theory and Application
This paper examines the potential relationships of Continuous Auditing and Emergency Preparedness to the design, development, and implementation of Emergency Response Management Information Systems (ERMIS). It develops an argument for the integration of emergency response processes and continuous decision process auditing requirements into the system development life cycle of an organization wide ERMIS.
The state of the art in Information Systems, Auditing (i.e. Continuous Auditing), and the Emergency Preparedness requirements of the society are at the right moment for this integration to occur. This integration would provide for new and robust software and system development foundation enhancements in order to satisfy the unique requirements of an ERMIS with respect to use, decision making, implementation, and costs. Such integration would lead to a pervasive deployment of ERMIS and result in a higher state of readiness than exists currently in organizations. A desirable catalyst in the facilitation of this undertaking is the need for general auditing (as an oversight function) of Emergency Response Preparedness for all organizations (termed an EPTrust assurance audit).
Fundamental advances in software process engineering have created a technological pathway for Information Systems research efforts to pursue broader conceptual issues. A new interdisciplinary professional community of Information Systems Designers, Emergency Response Professionals, and Auditors is proposed to undertake research and development activities to support this endeavor. Such a community must integrate across researchers, developers, and practitioners and as a result a WebCenter devoted to this effort is proposed as an appropriate effort to facilitate this interdisciplinary field by the formation of a new research and development community.
"It's not the strongest of the species that survives, not the most intelligent, but the one most responsive to change."
-Charles Darwin, Origin of the Species, 1859
Homeland security depends critically upon the ability of people and organizations to respond appropriately and reliably in the face of sudden and potentially catastrophic emergencies (Weick 1993). However, the Emergency Preparedness (EP) status of an organization is not always explicit, even to the organization itself or its decision makers, let alone to the public.
Further, EP is subject to an adverse selection problem in that outside observers cannot readily determine whether the lack of information about an organization's EP status is due to security considerations or to actual lack of preparation. In this paper we argue that there is a critical need for an objective, consistent, and publicly available measure of the EP status of an organization. We further discuss the need for the creation of a new assurance product (i.e. EPTrust) which is a set of controls and criteria that auditors can use to measure an organization's degree of EP. The military has a combat readiness reporting scheme, Status of Resources and Training System (SORTS) that quantifies the readiness status of a unit and summarizes the information for the Joint Chiefs of Staff (Brennan 1997). The reporting within SORTS relies on traditional accounting methods for summarizing and consolidating unit readiness information. This provides an indication that similar efforts can be undertaken to identify and report on the EP status of non-military organizations within the oversight function of Homeland security. In addition current technological advancements suggest that continuous auditing processes instead of traditional auditing methodologies may be successfully integrated into the development of new systems and greatly improve organizational risk and vulnerability assessments. However, the military assumes that a crisis is the normal operational environment and decision processes and human roles are very explicit (i. …