2. Business Requirements Package
SettlementOne
Table of Contents
1. Purpose 3
2. Scope of BRP 3
3. SettlementOne Performance Objectives 3
4. Technology Structure and Capabilities 5
5. Data Security Policy 6
6. Privacy Policy 6
7. Certificate of Home Value Code of Conduct (HVCC) Compliance 8
8. Support Availability 9
9. Severity Level Matrix 10
10. Service Level Communication Protocols 10
11. Business Escalation Plan 11
12. Technical Escalation Plan 12
13. Disaster Recovery Plan Outline 12
14. Appendix A - Insurance Coverage Letter 23
15. Appendix B - SAS70 - style third-party audit 24
16. Appendix C - SETTLEMENTONE Observed Holidays 24
16. Appendix D - Definition of Terms 24
SettlementOne
Confidential Page 2
3. Business Requirements Package
SettlementOne
1. PURPOSE
The Business Requirements Package (BRP) provides prospective customers and current customers
business and technical requirements information for services to be provided to Client by SettlementOne.
The services provided by SettlementOne shall meet the operations standards and guidelines stated herein,
which are generally stated in terms of events or outcomes, rather than specific procedural requirements.
The information enclosed within this BRP is with the agreement that changes, upgrades, and
enhancements will be made in technology products and services. SettlementOne continues to improve
systems, technologies, and services to provide the highest level of service.
2. SCOPE OF BRP
• Establish SettlementOne performance objectives
• Establish SettlementOne standards for responding to the service needs of the Client
• Establish SettlementOne’s standard communication process during service level events
• Define ‘System Availability’ and how it is measured
• Define SettlementOne support hours
• Establish an escalation process for service level events
• Define SettlementOne’s privacy policy
• Provide documents that may be required by lender.
3. SETTLEMENTONE PERFORMANCE OBJECTIVES
System Availability
‘Production Environment’ is defined as all SettlementOne architecture, network, application, and
infrastructure components necessary to provide the Client access or connection to successfully order
Appraisals with SettlementOne.
‘SettlementOne Normal Business Hours’ are defined as Monday to Friday from 6:00 a.m. to 5:30 p.m.
Pacific Time Zone, excluding major holidays including New Years Day, Memorial Day, Independence Day,
Labor Day, Thanksgiving, and Christmas Day.
‘Percentage of Availability’ is defined as 24/7 and 365 days per year. Server maintenance and
enhancements are performed as needed and generally occur after 9:00 PM PST outside normal business
hours. SettlementOne systems are available, on average, greater than 99.9% of the time. Specifically
excluded shall be periods of time when Client system issues do not allow access to SettlementOne
systems or Internet. SettlementOne systems average response time to deliver an appraisal is dependent
upon the geographical location of the property and market conditions. Please refer to the Turnaround
Target Times on the next page. Response times are dependent upon Client system, geographical
location, and Internet for availability and delivery of data.
SettlementOne
Confidential Page 3
4. Business Requirements Package
SettlementOne
Processing Turnaround Time
‘Processing Turnaround Time’ is defined as the time interval between the request entering
SettlementOne’s system architecture and the corresponding response leaving SettlementOne’s system
architecture.
Type of Request Processing Turnaround Time Target
• Delivery Date of the appraisal will vary depending on the
Appraisal Order geographical location of the property and market conditions.
SettlementOne strives to meet the “Date Required Date”
provided to us by the client upon ordering of the appraisal.
If that date is not obtainable, SettlementOne will notify the
client immediately with a revised delivery date. In addition,
SettlementOne identifies key activities surrounding the
appraisal process and manages turn times for each activity to
ensure prompt delivery to the client. The key activities with
expected turn times are outlined below:
- Within 2 business hours of receipt of new order, appraiser is
identified and assigned the order. Website will be updated
to reflect appraisal has been assigned.
- Client is updated with Inspection Date, via the website, upon
notification that the appraiser has made contact with the
borrower and scheduled an inspection. We request that the
appraiser contact the borrower the same day of order receipt
when possible. If no inspection date is received within 24
hours of order placement, SettlementOne will follow up for
inspection date.
- Appraiser is expected to provide appraisal to us within 48
hours of inspection date.
- Upon receipt of the appraisal, the appraisal is reviewed by
our Quality Control group within 4 business hours. If Quality
Issues exist, the appraiser is notified of corrections needed,
and are expected to return the appraisal within 24 hours.
- Post Completion Underwriting conditions are treated at the
highest priority and are provided to the appraiser within 1
hour of receipt. The appraisers are instructed to address
those conditions as quickly as possible, but not to exceed 24
hours.
- Any requests for Status Updates on orders in process are
responded to within 2 business hours.
• Although we manage to these key activities, it is
understood that delays caused by the Appraiser or
Borrower, as well as complex or hard to place
properties, could prevent us from achieving these turn
time expectations. In all cases, however, the client is
informed of any delay that will impact Clients expected
delivery time.
SettlementOne
Confidential Page 4
5. Business Requirements Package
SettlementOne
Customization Maintenance
Any customizations completed by SettlementOne for the Client in terms of Integration Requirements will
be maintained on a perpetual basis. To assure that customizations which have been put in place for the
Client interface, SettlementOne will perform whatever due diligence is necessary to test Client
customizations and their continued availability before making any change to their system and prior to
releasing these changes to a production environment.
Access to Future Customizations
It is foreseeable that from time to time, the Client’s requirement regarding appraisal services may change.
These kinds of changes include, but are not limited to: Changes in the versions of MISMO data formats,
the validation of certain fields in transactions to the Client’s specifications, and the correction of data
formats. The Client will allow a reasonable amount of time for development and QA phases to take place
for enhancements that are specific to their interface. Enhancements that are necessary to achieve
regulatory or contractual compliance with requirements are the responsibility of SettlementOne, but due
diligence will take place to inform the Client of any effect these changes may have on the production
interface.
4. TECHNOLOGY STRUCTURE AND CAPABILITIES
Systems Adequacy Information
Our Platforms generate close to 1,000,000 transactions per month. Our appraisal capabilities should be
more than adequate to meet or exceed your requirements, based on the following technical criteria:
Servers (Primary)
All Dell Equipment
Web Servers
- Machine servers running multiple virtual web servers
- All Dell 2950 Dual Xenon.
- 32GB RAM per server
- Windows 2008 Server
Database Servers
- Multiple Database servers
- All Dell 2950 Dual Xenon
- 8GM RAM per server
- Windows 2008 Server
- MS SQL Server 2008
SettlementOne
Confidential Page 5
6. Business Requirements Package
SettlementOne
Storage
Primary Storage
- Promise Data Storage Array
- All Drives are 5900 RPM eSATA
- All in RAID 6 Configuration for best redundancy
- 24 terabytes total capacity
Application
- Capable of 3600+ reports per hour (1 report per second)
- Database load is 60% Writes and 40% Reads
- Database Server load is less than 30%
- 15 minute log shipping cycle
- Nightly Full DB Backups
Security
- Industry Standard Secure Socket Layer (SSL) 128-bit encrypted communication
- System is backed up by a redundant processing center in San Diego, CA.
5. DATA SECURITY POLICY
Policy Statement
Access to data residing in administrative systems at SettlementOne is to be granted only to those
individuals who must, in the course of exercising their responsibilities, use the specific information. Access
to administrative data will be granted to SettlementOne employees only if the Client asks for their own
personal information. Access and update capabilities/restrictions will apply to all administrative data and
data stored within the SettlementOne office.
Reason for Policy
SettlementOne maintains data which is essential to performing business. Data is to be viewed as valued
resources over which SettlementOne has both rights and obligations to manage, secure, protect, and
control. This policy secures and protects data defined as administrative data stored in and accessible by
SettlementOne owned computing systems and accessible by SettlementOne employees in their official
business capacities. In addition, this policy addresses broader data issues of the rights and responsibilities
of authorized persons in the handling, as well as the security and protection, of SettlementOne data.
6. PRIVACY POLICY
This Privacy Policy, created by SettlementOne, is intended to protect any and all information submitted to
SettlementOne by the Client. By accepting this Privacy Policy, the Client will have a better understanding
of where their information is being received and how it is being used. SettlementOne reserves the right to
make any changes necessary to our privacy policy at any time.
Applicability
Access to the Client’s information is restricted to only those who are deemed necessary. The information
we collect from the Client is considered nonpublic records and is treated as such.
Types of Information
Depending on the different services you are utilizing, your nonpublic information that we collect may
include any information we may receive from application, forms, and in other communications to us;
whether in writing, in person, by telephone, or by any other resource.
SettlementOne
Confidential Page 6
7. Business Requirements Package
SettlementOne
Former Clients
If you are no longer our Client, our Privacy Policy still pertains to you.
Confidentiality and Security
Any information given to SettlementOne by our Client is solely used for the purpose in which the Client
has originally intended such information. SettlementOne will not give the Client’s information to any third
parties except when, a.) it is necessary for us to process a transaction or b.) as permitted by law. If the
Client’s information is ever given to a third party for those circumstances, it will only be used for the
purpose of providing those services.
Employees
SettlementOne will continue to do our best in observing our employees to ensure that the Client’s
information is being handled in a responsible manner and only being used as intended for purposes in
which the Client is aware.
SettlementOne
Confidential Page 7
8. Business Requirements Package
SettlementOne
7. CERTIFICATE OF HOME VALUE CODE OF CONDUCT (HVCC) COMPLIANCE
SettlementOne
Confidential Page 8
9. Business Requirements Package
SettlementOne
8. SUPPORT AVAILABILITY
8.1 SettlementOne Live Service Support Availability (Pacific Time Zone)
TIMES MONDAY TUESDAY WEDNESDAY THURSDAY FRIDAY SATURDAY SUNDAY
BEGIN 6:00 a.m. 6:00 a.m. 6:00 a.m. 6:00 a.m. 6:00 a.m. ON CALL ON CALL
END 5:30 p.m. 5:30 p.m. 5:30 p.m. 5:30 p.m. 5:30 p.m. ON CALL ON CALL
8.2 SettlementOne Remote Technical Service Support Availability (Pacific Time Zone)
TIMES MONDAY TUESDAY WEDNESDAY THURSDAY FRIDAY SATURDAY SUNDAY
24 ON CALL ON CALL ON CALL ON CALL ON CALL ON CALL ON CALL
HOURS ON CALL ON CALL ON CALL ON CALL ON CALL ON CALL ON CALL
SettlementOne
Confidential Page 9
10. Business Requirements Package
SettlementOne
9. SEVERITY LEVEL MATRIX
TARGET
Severity Description RESPONSE
Classification RESOLUTION
Level TIME1
TIME2
A widespread disruption in service affecting
multiple users and/or locations with significant
impact upon Client operations. A temporary work-
Critical around solution does not exist or is not feasible.
1 15 MINUTES 2 HOURS
May also include Severity Level 2 events that are
escalated to Severity Level 1 if not resolved within
the prescribed time period.
A limited disruption in service affecting a single
user or small group of users with minor impact
upon Client operations. A temporary work-around
solution does not exist or is not feasible.
2 High 30 MINUTES 4 HOURS
May also include Severity Level 3 events that are
escalated to Severity Level 2 if not resolved within
the prescribed time period.
A disruption in service with no appreciable impact
3 Medium upon Client’s operations due to implementation of 30 MINUTES 24 HOURS
a temporary work-around solution.
A Client initiated inquiry or change request that
should be made as soon as possible given the
4 Low potential for enhancing the business/user TBD TBD
experience.
1
Required Response Time: the time interval from when SettlementOne first becomes aware of a service level event and
subsequently notifies the Client (or Requestor for Severity Level 4 events).
2
Target Resolution Time: the time interval from when SettlementOne first becomes aware of a service level event and
subsequently resolves the problem (i.e. implements a permanent solution).
10. SERVICE LEVEL COMMUNICATION PROTOCOLS
Whenever a service level event occurs, SettlementOne will initiate communications with the Client
according to the severity level protocols set forth below. A SettlementOne representative will clearly state
their name, company name, contact number, type of service level event, event description, when the
event started, all who are affected, and an estimate of the time required to implement a permanent
solution.
The following severity level protocols below establish the communication protocols to be observed for all
service level events.
SettlementOne
Confidential Page 10
11. Business Requirements Package
SettlementOne
An e-mail will also be provided when the interface functions are back to normal.
Only those events that are directly and unambiguously attributable to SettlementOne will be considered
System Availability (SA) events.
11. BUSINESS ESCALATION PLAN
Special Request on Appraisals
• Contact Appraisal Coordination Team at (800) 340 2009.
o Exact team extensions will be specified during Client training.
Appraisal Service Content/Business Service Related Questions/Concerns
• Contact Appraisal Coordination Team at (800) 340-2009
o Exact team extensions will be specified during Client training.
• If the Appraisal Coordination Team cannot promptly resolve the problem, the call will
automatically be escalated to Team Supervisor and/or dedicated Account Manager at (800)
340-2009, the Client may request the call to be escalated at any time.
• If the Team Supervisor and/or dedicated Account Manager are unable to resolve problem
within a reasonable time frame, Vicky Hamilton, Director of Appraisal Services, will be directly
notified to insure immediate resolution. The Client may request the call to be escalated to the
Director of Appraisal Services at any time.
Client Disputes on Appraisals
• A Client must be directed to their dedicated Appraisal Coordination Team at (800) 340-2009
(exact team extensions will be specified during Client training) in the event of an appraisal
dispute.
Accounting Department
• Billing questions contact the Accounting Department at (619) 209-3602
• If the question is not promptly answered, the call will be automatically escalated to the
Accounting Manager. The Client may request the call to be escalated at any time.
SettlementOne
Confidential Page 11
12. Business Requirements Package
SettlementOne
Escalation Contact List
Contact Team Type Phone Extension
exact extensions
Dedicated Appraisal
Appraisal Coordination Office (800) 340 2009 provided during
Coordination Team
Client training
exact extensions
are provided
Team Supervisor Appraisal Coordination Office (800) 340- 2009
during Client
training
Director of Appraisal
Vicky Hamilton Office (800) 340 2009 151
Services
Joy Hochstein Accounting Office (619) 209-3602 164
Director of Quality
Jo Hartman Office (800) 340-2009 169
Assurance
Will Dillard Director of Operations Office (800) 340-2009 168
12. TECHNICAL ESCALATION PLAN
SettlementOne provides Client with a dedicated team for customer support.
Technical Difficulty at Client Site
• Contact Client Appraisal Coordination Team at (800) 340-2009. Once the Appraisal Coordination
Team is notified of the problem the call will be routed to the Team Supervisor and/or Account
Manager on duty.
• If the Team Supervisor and/or Account Manager cannot promptly resolve the problem, the call will
automatically be escalated to Vicky Hamilton, Director of Appraisal Services, ext 151. Additionally,
the Client may request the call to be escalated at any time.
• SettlementOne will constantly monitor the Client’s activity. If any problem arises, SettlementOne
will contact the Client in any manner preferred.
13. DISASTER RECOVERY PLAN OUTLINE
Introduction
SettlementOne increasingly depends on its computing and telecommunications capabilities to provide
services to its internal and external customers. The increasing dependency on computers and
telecommunications for operational support poses the risk that a lengthy loss of these capabilities could
seriously affect the overall performance of the company. A risk analysis identified several components as
belonging to risk Level I, comprising those functions whose loss could cause a major impact to
SettlementOne. It also categorized a majority of company functions as Essential, or Level II - requiring
processing support within 24-72 hours of an outage. This risk assessment process will be repeated on a
regular basis to ensure that changes to our processing and environment are reflected in recovery
planning.
SettlementOne Management recognizes the low probability of severe damage to computing and
telecommunications environment, or support services capabilities that support SettlementOne.
SettlementOne
Confidential Page 12
13. Business Requirements Package
SettlementOne
Nonetheless, because of the potential impact the need for a plan to reduce the risk of damage from a
disaster is vital. SettlementOne's Contingency Plan is designed to reduce the risk to an acceptable level
by ensuring the restoration of critical processing within a few hours, and all essential production (Level II
processing) within 24-72 hours of the outage.
Fire
The threat of fire is always real and poses the highest risk factor of all the causes of disaster mentioned
here. The building is built primarily of non-combustible materials and the server room has minimal
combustibles within.
Preventive Measures
• Fire Alarms: The building is equipped with a fire alarm system. The server room is equipped with
smoke and fire detection systems that are monitored 24x7. In addition, air conditioning and UPS
environment are remotely monitored.
• Hand-held fire extinguishers are located throughout the building on all floors.
• Regular reviews of the fire procedures are conducted to insure that they are up to date.
Unannounced drills are conducted and an evaluation is done immediately after with results
reviewed with the President/CEO and Director of I.T. and Administration.
• Regular inspections of the fire prevention equipment and practices are also conducted. Fire
extinguishers are periodically inspected as a standard practice. Smoke and fire detectors located
in the server room are periodically inspected and cleaned.
Flood
The building is not located in an area susceptible to flooding. Any water penetrating the server room can
cause extensive damage. The presence of water in that room can pose a threat of electrical shock to
personnel within the machine room.
Preventive Measures
• Plans are currently in place to add water detectors that can be monitored by our security system.
• Periodic inspections of the server room is conducted to detect water seepage, especially any time
there is a heavy downpour.
• Appropriate Networking and Support Personnel are trained in shutdown procedures.
Tornadoes and High Winds
The building is geographically located in an area not at risk of tornados or high winds.
Preventive Measures
• While a fire can be as destructive as a tornado, there are very few preventative measures that
we can take for tornados. Building construction is such that it can withstand the forces of high
winds.
Earthquake
The threat of an earthquake is low, but is not ignored.
SettlementOne
Confidential Page 13
14. Business Requirements Package
SettlementOne
Preventive Measures
• The building construction is such to withstand any type of rare quake. A standby power
generator is available to provide power should commercial utilities be disrupted.
• Networking and Support staff are trained on the use of the generator equipment.
Computer Crime
Computer crime is a threat as systems have become more complex and access is more highly distributed.
With networking technologies, more potential for improper access is present. Computer crimes can occur
from external or internal sources.
Preventive Measures
• Our production systems have security and authentication practices in place to protect against
unauthorized entry.
• Our systems are backed up on a periodic basis. These backups are stored off-site. Backup
schedules and procedures are documented in the technical policies and procedures
documentation.
• All code changes undergo extensive testing and code review to ensure that malicious code, or
inadvertent changes are not deployed into the production environment.
• SettlementOne continues to improve security functions on all platforms. Policies and procedures
are strictly enforced. Users are reminded of the importance of securing their passwords and
choosing passwords that are very difficult to guess.
Terrorist Action and Sabotage
Computer systems are always potential targets for terrorist actions, such as a bomb or other destructive
devices.
Preventive Measures
• Good physical security is important, however, terrorist actions can occur regardless of building
security. An explosive device placed next to an exterior wall of the building or server room may
breach the wall and cause damage within the room.
• The building is adequately lit at night and off-hour alarm and security systems are monitored by
an off-site company. The door into the server room area is secured with a lock and only key
personnel have access. We consistently maintain good physical security. Doors into the server
room are locked at all times. All visitors to the machine room and building are logged in and out.
Assumptions of this Plan
No matter how many precautions are implemented and to what extent they are enforced there are no
completely secure environments. The operations could be suddenly disrupted by events we have little or
no control over, involving people, mechanics, electronics, or natural disasters. This Plan assumes that a
catastrophic event has interrupted our production environment forcing us to utilize our secondary site in
San Diego, our backup connectivity or power generator, or some other backup/failover process.
The Plan is predicated on the validity of the following three assumptions:
• The situation that causes the disaster is localized to the computer/server facility; the building or
space housing the functional area; or to the communication systems and networks that support
SettlementOne
Confidential Page 14
15. Business Requirements Package
SettlementOne
our production environment. This Plan does not cover a general disaster, such as an earthquake,
flood, or other events affecting a major portion of the area. It should be noted however, that this
Plan will still be functional and effective even in an area-wide disaster. Even though the basic
priorities for restoration of essential services to the community will normally take precedence over
the recovery of an individual organization, SettlementOne’s Contingency Plan can still provide for
a more expeditious restoration of our resources for supporting key functions.
• The Plan is based on the availability of our secondary site as described in other parts of this
document. The accessibility of this, or equivalent back-up resources, is a critical requirement.
• This Plan is a document that reflects the changing environment and requirements of
SettlementOne and as such is a living document. Therefore, the Plan requires the continued
allocation of resources to maintain it and to keep it in a constant state of readiness.
• The secondary site may be activated outside of a disaster scenario. This plan accounts for the use
of the secondary site for an extended period of time triggering the initiation of the plan.
SettlementOne
Confidential Page 15
16. Business Requirements Package
SettlementOne
Team Responsibilities
Activation of this plan will be made jointly by the Business Continuity Coordinators. All executive decisions
will be made by the Director of I.T. and/or President/COO. In their absence the Business Continuity
Coordinators will, to the best of their abilities make the appropriate decisions necessary to maintain an
acceptable level of operation. Those types of decisions include, but not limited to;
• Sending one of the Network Administrators to the secondary site
• Reasonable budget decisions
• Customer communications (For the most part this will be limited to the Support Services
Supervisor and the Documentation/Writer)
• Setting up the production system in another facility
Technical decisions and other minor monetary decisions will be handled by the technicians working on
the issue and relayed to the Business Continuity Coordinators.
It is the responsibility of the Director of Information Technology and Administration, along with the
Business Continuity Response Team to maintain SettlementOne's Contingency Plan and to ensure this
document is maintained current and that appropriate tests are conducted in a timely and systematic
manner. It is also the responsibility of the Director of Information Technology and Administration to keep
the President/COO appraised of events and activities and in the absence or lack of availability of the
Director of Information Technology, the Support Service Supervisor will keep the President advised.
Business Continuity Response Team
In the event of a disaster, the Business Continuity Response Team provides general support for resources
and tasks integral to running the specific functional area. This team requires the full and active
participation of the staff members assigned to those affected functional areas.
This section provides general information about the organization of recovery efforts and the role of the
Business Continuity Response Team. Elsewhere in this document we describe the Business Continuity
Response Team and the responsibilities of each SettlementOne Support Team in detail.
Initiation of the Plan
Scope of the Plan
The object of this Plan is to restore Critical (Level I) systems immediately and Essential (Level II) systems
within 2 hours of a disaster that disables any functional area and/or essential equipment supporting the
systems or functions in that area.
The initial Risk Assessment of the computer applications that support SettlementOne administration
assigned systems to Level I Critical. This risk category identifies applications that have the highest priority
and must be restored as quickly as possible. Specifically, each function of these systems was evaluated
and allocated a place in one of four risk categories, as described below.
SettlementOne
Confidential Page 16
17. Business Requirements Package
SettlementOne
• Level I - Critical Functions
Customers being able to order and/or receive an appraisal.
• Level II - Essential Functions
Access to previously ordered appraisals.
• Level III - Desirable Functions
Management Reports
Resources Used in Recovery
In the event of a disaster, the kit will be used to recover any lost functionality.
DR kit contents:
• Procedures
• Disks for configuring servers
• Latest application configuration
• Minimum hardware, environment and application requirements
• How to procure equipment and fuel
• How to locate a facility for the production system
Determining the Level of Disaster
• Level 1: lost the ability to run production from the primary and secondary site and no equipment,
connectivity or building space is available to you
• Level 2: lost the ability to run production from the primary and secondary site, but equipment is
available to transport and set up shop somewhere else because connectivity is lost
• Level 3: corrupt or missing data that causes both sites to have to shut down
• Level 4: lost the ability to run production from the primary site and are running for an extended
period of time on the secondary site
• Level 5: lost equipment on the primary site that needs to be restored while running production
on the secondary site
• Level 6: corrupt or missing data that causes the primary data servers to be unavailable and the
emergency data server is being used or production is being run from the backup site during
restore
SettlementOne
Confidential Page 17
18. Business Requirements Package
SettlementOne
Prioritizing and Restoring Services
Below is a list of services supporting the functionality defined in the scope subsection of this section in
the order of importance to make sure it is available. Consider that generator power is restored power and
open air cooling is restored cooling if no other is available. The goal here is to make sure that the bare
needs of each of the items below are met.
Equipment
Using the hardware requirements sheet in the D/R kit, determine if you have enough equipment. If you
do not, use the How to Procure Equipment document to obtain the equipment you don’t have available.
Once you have a track for that, choose the application that needs to be focused on and determine which
servers will serve appropriate functions. After mapping it out, configure each of the devices to serve their
functions and restore necessary data.
Power
Using the Environment Requirements document, determine if you have necessary power to support the
production system equipment you will be using. If not or if you are setting up shop at a remote location,
verify that where you are moving the production system to has that available power. At the primary
facility, generator power should be available. Use the procedure in the How to Procure Equipment
document to obtain fuel.
Connectivity
Using the Environment Requirements document, determine if you have the necessary connectivity to
support the production system services you will be using. If not or if you are setting up shop at a remote
location, verify that where you are moving the production system to has the necessary bandwidth
capacity.
Cooling
Using the Environment Requirements document, determine if you have the necessary cooling capacity to
support the production system equipment you will be using. This does not necessarily mean that a cooler
has to be brought in, but it does mean that you have to have the ability to keep the servers within
operating temperature. This becomes an issue if a lot of servers are being used.
IIS
IIS needs to be brought up quickly in order to have a site presence. A basic site should be brought up to
inform customers that we are working on the issue. Beyond this, the IIS box will be the last functionality
to be restored. You should focus on the data first, and then the com boxes, and then come back to IIS to
configure the application on it.
SettlementOne
Confidential Page 18
19. Business Requirements Package
SettlementOne
Data
Determine if data server functionality is good to go. Can you access the data you need on the data
server? If you are building a data server from the ground up, use the Build a Box procedures to configure
the machine. Then use a backup device to restore the required data to run this application.
Com
Determine if com server functionality is up and running. Depending on the application, you may need
more than one com server in order to support the application’s functionality. If you are building a com
server from the ground up, use the Build a Box procedures to configure the machine.
Disaster Response
This section describes six required responses to a disaster, or to a problem that could evolve into a
disaster:
Detect and determine a disaster condition
Notify persons responsible for recovery
Initiate the SettlementOne's Business Continuity Plan
Activate the designated hot site
Disseminate public information as needed
Provide support services to aid recovery
Each subsection below identifies the organization(s) and/or position(s) responsible for each of
these six responses
Disaster Detection and Determination
The detection of an event which could result in a disaster affecting information processing systems at
SettlementOne is the responsibility of the Support Department.
Disaster Notification
The Support Department will follow existing procedures and notify the Business Continuity Coordinators
and Director of I.T.
Activation of the Secondary Site
The responsibility for activation of the secondary site is delegated to the Business Continuity
Coordinators.
Dissemination of Public Information
The President/COO and Director of Information Technology/Administration are responsible for directing
all meetings and discussions with the news media and the public, and in conjunction with the Human
Resource Department.
SettlementOne
Confidential Page 19
20. Business Requirements Package
SettlementOne
Post Plan Initiation Assessment
Documentation
During the outage, notes will be taken by the Business Continuity Response Team stating actions taken
and the times they occurred.
Review
After initiation of the plan and the initial actions have been taken, the Business Continuity Response
Team will gather and compare notes to determine the current status of the issue and review the
effectiveness of actions taken.
Modify Actions if Needed
If the review process determines that other action needs to be taken, it will be implemented by the
appropriate member of the Business Continuity Response Team.
Make Modifications to Current Procedures
Any modifications that need to be made to guidelines and procedures in the Plan will be made and
communicated to the Team to ensure everyone understands the current course of action.
Maintenance of the Plan
Plan Maintenance
The plan will be evaluated once each year. All portions of the plan will be reviewed and analyzed by the
Business Continuity Response Team. In addition the plan will be tested on a regular basis and any faults
will be corrected. The Director of Information Technology has the responsibility of overseeing the
individual documents and files and ensuring that they meet standards and consistent with the rest of the
plan.
Change Driven Maintenance
It is inevitable in the changing environment of the computer industry that this Plan will become outdated
and unusable unless someone keeps it up to date. Changes that will likely affect the plan fall into several
categories:
• Hardware changes
• Software changes
• Facility changes
• Procedural changes
• Personnel changes
• Application growth
As changes occur in any of the areas mentioned above, management will determine if changes to the
plan are necessary. Changes that affect the platform recovery portions of the plan will be made by the
staff in the affected area. After the changes have been made, the I.T. Director will be advised that the
updated documents are available. They will incorporate the changes into the body of the plan and
distribute as required.
SettlementOne
Confidential Page 20
21. Business Requirements Package
SettlementOne
Changes Requiring Plan Maintenance
The following lists some of the types of changes that may require revisions to the disaster recovery plan.
Any change that can potentially affect whether the plan can be used to successfully restore the
operations of the department's computer and network systems should be reflected in the plan.
Hardware
• Additions, deletions, or upgrades to hardware platforms
Software
• Additions, deletions, or upgrades to system software
• Changes to system configuration
• Changes to applications software affected by the plan
Facilities
• Changes that affect the availability/usability of the Secondary Site location
Personnel
• Changes to personnel identified by name in the plan
• Changes to organizational structure of the department
Procedural
• Changes to off-site backup procedures, locations, etc.
• Changes to application backups
• Changes to vendor lists maintained for acquisition and support purposes
Application Growth
• Changes to application usage
• Changes to application configuration causing increased resource consumption
SettlementOne
Confidential Page 21
22. Business Requirements Package
SettlementOne
Maintenance
Ensuring that this plan reflects ongoing changes to resources is crucial. This task includes updating the
plan and revising this document to reflect updates; testing the updated plan; and training personnel. The
Business Continuity Response Team members are responsible for this comprehensive maintenance task.
Quarterly, the Director of Information Technology and Administration ensures that the plan undergoes a
more formal review to confirm the incorporation of any changes since the prior quarter. Annually, the
Director of Information Technology and Administration initiates a complete review of the Plan, which
could result in major revisions to this document. These revisions will be distributed to all appropriate
personnel.
Testing
Testing the Business Continuity Plan is an essential element of preparedness. Partial tests of individual
components and recovery plans will be carried out on a regular basis by the Support Services Supervisor
and Production Systems Specialist. A comprehensive exercise of our continuity capabilities and support by
our designated recovery facilities will be performed on an annual basis.
SettlementOne
Confidential Page 22
23.
24. Business Requirements Package
SettlementOne
15. APPENDIX B - SAS70 - STYLE THIRD-PARTY AUDIT
Please refer to attached Exhibit A of the Business Requirement Package.
16. APPENDIX C - SETTLEMENTONE OBSERVED HOLIDAYS
SettlementOne
New Year's Day
Memorial Day
Independence Day
Labor Day
Thanksgiving Day
Christmas Day
16. APPENDIX D - DEFINITION OF TERMS
ID No. Term Definition
All SettlementOne architecture, network, application, and infrastructure
1. Production Environment components necessary to provide the Client access or connection to
successfully order Appraisals with SettlementOne.
The time interval between the request entering SettlementOne’s system
2. Processing Turnaround Time architecture and the corresponding response leaving SettlementOne’s
system architecture.
Code for specifying first Exception Event threshold whereby an error
3. EE1
response is received in lieu of requested appraisal information
Time interval from when SettlementOne first becomes aware of a service
4. Required Response Time level event and subsequently notifies the Support Team (or Requestor for
Severity Level 4 events)
Time interval from when SettlementOne first becomes aware of a service
5. Target Resolution Time level event and subsequently resolves the problem (i.e. implements a
permanent solution)
SettlementOne
Confidential Page 24