business requirements package

Business Requirements Package SettlementOne

SettlementOne Confidential

Business Requirements

Package

Appraisal Services

Copyright © 2007 by SettlementOne Valuation Corp. All rights reserved.

This document contains confidential and privileged material for the sole use of the intended reader. Any review or distribution not expressly authorized herein is strictly prohibited. The information contained within this document is governed by the terms of a Non-Disclosure Agreement that obligates the reader with access to this document to safeguard its contents from unauthorized disclosure as provided by the Non-Disclosure Agreement. By accessing this document, you agree that you have read and understand the terms of the applicable Non-Disclosure agreement and that you shall abide by the terms of such Non-Disclosure Agreement.

The information within this document represents material that is protected by international and federal copyright and trademark laws. Any use or reuse of this information is strictly prohibited and constitutes a violation of SettlementOne Valuation Corp’s Copyright and other Intellectual Property protection. If you are not the intended reader of this document please contact SettlementOne Valuation Corp. and destroy all copies and even if you are no the intended recipient, you are still subject to all rights reserved by SettlementOne Valuation Corp and the protections set forth herein or any other rights enjoyed by SettlementOne Valuation Corp for any reason whatsoever. No part of this document may be reproduced, stored, archived, or transmitted in any form without the express written consent of SettlementOne Valuation Corp. SettlementOne Valuation Corp. has used its best effort in preparing this document. SettlementOne makes no representations, or warranties with respect to the accuracy or completeness of this document and specifically disclaims any implied warranties or merchantability or fitness for a particular purpose.



Table of Contents

1. Purpose 3

2. Scope of BRP 3

3. SettlementOne Performance Objectives 3

4. Technology Structure and Capabilities 5

5. Data Security Policy 6

6. Privacy Policy 6

7. Certificate of Home Value Code of Conduct (HVCC) Compliance 8

8. Support Availability 9

9. Severity Level Matrix 10

10. Service Level Communication Protocols 10

11. Business Escalation Plan 11

12. Technical Escalation Plan 12

13. Disaster Recovery Plan Outline 12

14. Appendix A - Insurance Coverage Letter 23

15. Appendix B - SAS70 - style third-party audit 24

16. Appendix C - SETTLEMENTONE Observed Holidays 24

16. Appendix D - Definition of Terms 24



1. PURPOSE

The Business Requirements Package (BRP) provides prospective customers and current customers business and technical requirements information for services to be provided to Client by SettlementOne. The services provided by SettlementOne shall meet the operations standards and guidelines stated herein, which are generally stated in terms of events or outcomes, rather than specific procedural requirements. The information enclosed within this BRP is with the agreement that changes, upgrades, and enhancements will be made in technology products and services. SettlementOne continues to improve systems, technologies, and services to provide the highest level of service.

2. SCOPE OF BRP

• Establish SettlementOne performance objectives

• Establish SettlementOne standards for responding to the service needs of the Client

• Establish SettlementOne’s standard communication process during service level events

• Define ‘System Availability’ and how it is measured

• Define SettlementOne support hours

• Establish an escalation process for service level events

• Define SettlementOne’s privacy policy

• Provide documents that may be required by lender.

3. SETTLEMENTONE PERFORMANCE OBJECTIVES

System Availability

‘Production Environment’ is defined as all SettlementOne architecture, network, application, and infrastructure components necessary to provide the Client access or connection to successfully order Appraisals with SettlementOne. ‘SettlementOne Normal Business Hours’ are defined as Monday to Friday from 6:00 a.m. to 5:30 p.m. Pacific Time Zone, excluding major holidays including New Years Day, Memorial Day, Independence Day, Labor Day, Thanksgiving, and Christmas Day.

‘Percentage of Availability’ is defined as 24/7 and 365 days per year. Server maintenance and enhancements are performed as needed and generally occur after 9:00 PM PST outside normal business hours. SettlementOne systems are available, on average, greater than 99.9% of the time. Specifically excluded shall be periods of time when Client system issues do not allow access to SettlementOne systems or Internet. SettlementOne systems average response time to deliver an appraisal is dependent upon the geographical location of the property and market conditions. Please refer to the Turnaround Target Times on the next page. Response times are dependent upon Client system, geographical location, and Internet for availability and delivery of data.



Processing Turnaround Time ‘Processing Turnaround Time’ is defined as the time interval between the request entering SettlementOne’s system architecture and the corresponding response leaving SettlementOne’s system architecture.

Type of Request Processing Turnaround Time Target Appraisal Order

• Delivery Date of the appraisal will vary depending on the geographical location of the property and market conditions. SettlementOne strives to meet the “Date Required Date” provided to us by the client upon ordering of the appraisal. If that date is not obtainable, SettlementOne will notify the client immediately with a revised delivery date. In addition, SettlementOne identifies key activities surrounding the appraisal process and manages turn times for each activity to ensure prompt delivery to the client. The key activities with expected turn times are outlined below:

- Within 2 business hours of receipt of new order, appraiser is

identified and assigned the order. Website will be updated to reflect appraisal has been assigned.

- Client is updated with Inspection Date, via the website, upon

notification that the appraiser has made contact with the borrower and scheduled an inspection. We request that the appraiser contact the borrower the same day of order receipt when possible. If no inspection date is received within 24 hours of order placement, SettlementOne will follow up for inspection date.

- Appraiser is expected to provide appraisal to us within 48

hours of inspection date. - Upon receipt of the appraisal, the appraisal is reviewed by

our Quality Control group within 4 business hours. If Quality Issues exist, the appraiser is notified of corrections needed, and are expected to return the appraisal within 24 hours.

- Post Completion Underwriting conditions are treated at the

highest priority and are provided to the appraiser within 1 hour of receipt. The appraisers are instructed to address those conditions as quickly as possible, but not to exceed 24 hours.

- Any requests for Status Updates on orders in process are

responded to within 2 business hours.

• Although we manage to these key activities, it is understood that delays caused by the Appraiser or Borrower, as well as complex or hard to place properties, could prevent us from achieving these turn time expectations. In all cases, however, the client is informed of any delay that will impact Clients expected delivery time.



Customization Maintenance

Any customizations completed by SettlementOne for the Client in terms of Integration Requirements will be maintained on a perpetual basis. To assure that customizations which have been put in place for the Client interface, SettlementOne will perform whatever due diligence is necessary to test Client customizations and their continued availability before making any change to their system and prior to releasing these changes to a production environment.

Access to Future Customizations

It is foreseeable that from time to time, the Client’s requirement regarding appraisal services may change. These kinds of changes include, but are not limited to: Changes in the versions of MISMO data formats, the validation of certain fields in transactions to the Client’s specifications, and the correction of data formats. The Client will allow a reasonable amount of time for development and QA phases to take place for enhancements that are specific to their interface. Enhancements that are necessary to achieve regulatory or contractual compliance with requirements are the responsibility of SettlementOne, but due diligence will take place to inform the Client of any effect these changes may have on the production interface.

4. TECHNOLOGY STRUCTURE AND CAPABILITIES Systems Adequacy Information Our Platforms generate close to 1,000,000 transactions per month. Our appraisal capabilities should be more than adequate to meet or exceed your requirements, based on the following technical criteria:

Servers (Primary) All Dell Equipment Web Servers - Machine servers running multiple virtual web servers - All Dell 2950 Dual Xenon. - 32GB RAM per server - Windows 2008 Server Database Servers - Multiple Database servers - All Dell 2950 Dual Xenon - 8GM RAM per server - Windows 2008 Server - MS SQL Server 2008



Storage Primary Storage - Promise Data Storage Array - All Drives are 5900 RPM eSATA - All in RAID 6 Configuration for best redundancy - 24 terabytes total capacity Application - Capable of 3600+ reports per hour (1 report per second) - Database load is 60% Writes and 40% Reads - Database Server load is less than 30% - 15 minute log shipping cycle - Nightly Full DB Backups Security - Industry Standard Secure Socket Layer (SSL) 128-bit encrypted communication - System is backed up by a redundant processing center in San Diego, CA.

5. DATA SECURITY POLICY

Policy Statement Access to data residing in administrative systems at SettlementOne is to be granted only to those individuals who must, in the course of exercising their responsibilities, use the specific information. Access to administrative data will be granted to SettlementOne employees only if the Client asks for their own personal information. Access and update capabilities/restrictions will apply to all administrative data and data stored within the SettlementOne office.

Reason for Policy SettlementOne maintains data which is essential to performing business. Data is to be viewed as valued resources over which SettlementOne has both rights and obligations to manage, secure, protect, and control. This policy secures and protects data defined as administrative data stored in and accessible by SettlementOne owned computing systems and accessible by SettlementOne employees in their official business capacities. In addition, this policy addresses broader data issues of the rights and responsibilities of authorized persons in the handling, as well as the security and protection, of SettlementOne data.

6. PRIVACY POLICY

This Privacy Policy, created by SettlementOne, is intended to protect any and all information submitted to SettlementOne by the Client. By accepting this Privacy Policy, the Client will have a better understanding of where their information is being received and how it is being used. SettlementOne reserves the right to make any changes necessary to our privacy policy at any time.

Applicability Access to the Client’s information is restricted to only those who are deemed necessary. The information we collect from the Client is considered nonpublic records and is treated as such.

Types of Information Depending on the different services you are utilizing, your nonpublic information that we collect may include any information we may receive from application, forms, and in other communications to us; whether in writing, in person, by telephone, or by any other resource.



Former Clients If you are no longer our Client, our Privacy Policy still pertains to you.

Confidentiality and Security Any information given to SettlementOne by our Client is solely used for the purpose in which the Client has originally intended such information. SettlementOne will not give the Client’s information to any third parties except when, a.) it is necessary for us to process a transaction or b.) as permitted by law. If the Client’s information is ever given to a third party for those circumstances, it will only be used for the purpose of providing those services.

Employees SettlementOne will continue to do our best in observing our employees to ensure that the Client’s information is being handled in a responsible manner and only being used as intended for purposes in which the Client is aware.



7. CERTIFICATE OF HOME VALUE CODE OF CONDUCT (HVCC) COMPLIANCE



8. SUPPORT AVAILABILITY

8.1 SettlementOne Live Service Support Availability (Pacific Time Zone)

TIMES MONDAY TUESDAY WEDNESDAY THURSDAY FRIDAY SATURDAY SUNDAY

BEGIN 6:00 a.m. 6:00 a.m. 6:00 a.m. 6:00 a.m. 6:00 a.m. ON CALL ON CALL

END 5:30 p.m. 5:30 p.m. 5:30 p.m. 5:30 p.m. 5:30 p.m. ON CALL ON CALL

8.2 SettlementOne Remote Technical Service Support Availability (Pacific Time Zone)

TIMES MONDAY TUESDAY WEDNESDAY THURSDAY FRIDAY SATURDAY SUNDAY

24 ON CALL ON CALL ON CALL ON CALL ON CALL ON CALL ON CALL

HOURS ON CALL ON CALL ON CALL ON CALL ON CALL ON CALL ON CALL



9. SEVERITY LEVEL MATRIX

Severity Level Classification Description RESPONSE

TIME1

TARGET RESOLUTION

TIME2

1 Critical

A widespread disruption in service affecting multiple users and/or locations with significant impact upon Client operations. A temporary work-around solution does not exist or is not feasible.

May also include Severity Level 2 events that are escalated to Severity Level 1 if not resolved within the prescribed time period.

15 MINUTES 2 HOURS

2 High

A limited disruption in service affecting a single user or small group of users with minor impact upon Client operations. A temporary work-around solution does not exist or is not feasible.

May also include Severity Level 3 events that are escalated to Severity Level 2 if not resolved within the prescribed time period.

30 MINUTES 4 HOURS

3 Medium A disruption in service with no appreciable impact upon Client’s operations due to implementation of a temporary work-around solution.

30 MINUTES 24 HOURS

4 Low

A Client initiated inquiry or change request that should be made as soon as possible given the potential for enhancing the business/user experience.

TBD TBD

1 Required Response Time: the time interval from when SettlementOne first becomes aware of a service level event and subsequently notifies the Client (or Requestor for Severity Level 4 events). 2 Target Resolution Time: the time interval from when SettlementOne first becomes aware of a service level event and subsequently resolves the problem (i.e. implements a permanent solution).

10. SERVICE LEVEL COMMUNICATION PROTOCOLS

Whenever a service level event occurs, SettlementOne will initiate communications with the Client according to the severity level protocols set forth below. A SettlementOne representative will clearly state their name, company name, contact number, type of service level event, event description, when the event started, all who are affected, and an estimate of the time required to implement a permanent solution. The following severity level protocols below establish the communication protocols to be observed for all service level events.



An e-mail will also be provided when the interface functions are back to normal. Only those events that are directly and unambiguously attributable to SettlementOne will be considered System Availability (SA) events.

11. BUSINESS ESCALATION PLAN

Special Request on Appraisals

• Contact Appraisal Coordination Team at (800) 340 2009. o Exact team extensions will be specified during Client training.

Appraisal Service Content/Business Service Related Questions/Concerns

• Contact Appraisal Coordination Team at (800) 340-2009

o Exact team extensions will be specified during Client training. • If the Appraisal Coordination Team cannot promptly resolve the problem, the call will

automatically be escalated to Team Supervisor and/or dedicated Account Manager at (800) 340-2009, the Client may request the call to be escalated at any time.

• If the Team Supervisor and/or dedicated Account Manager are unable to resolve problem

within a reasonable time frame, Vicky Hamilton, Director of Appraisal Services, will be directly notified to insure immediate resolution. The Client may request the call to be escalated to the Director of Appraisal Services at any time.

Client Disputes on Appraisals

• A Client must be directed to their dedicated Appraisal Coordination Team at (800) 340-2009 (exact team extensions will be specified during Client training) in the event of an appraisal dispute.

Accounting Department

• Billing questions contact the Accounting Department at (619) 209-3602 • If the question is not promptly answered, the call will be automatically escalated to the

Accounting Manager. The Client may request the call to be escalated at any time.



Escalation Contact List

Contact Team Type Phone Extension

Dedicated Appraisal Coordination Team Appraisal Coordination Office (800) 340 2009

exact extensions provided during Client training

Team Supervisor Appraisal Coordination Office (800) 340- 2009

exact extensions are provided during Client

training

Vicky Hamilton Director of Appraisal Services Office (800) 340 2009 151

Joy Hochstein Accounting Office (619) 209-3602 164

Jo Hartman Director of Quality Assurance Office (800) 340-2009 169

Will Dillard Director of Operations Office (800) 340-2009 168

12. TECHNICAL ESCALATION PLAN

SettlementOne provides Client with a dedicated team for customer support.

Technical Difficulty at Client Site

• Contact Client Appraisal Coordination Team at (800) 340-2009. Once the Appraisal Coordination Team is notified of the problem the call will be routed to the Team Supervisor and/or Account Manager on duty.

• If the Team Supervisor and/or Account Manager cannot promptly resolve the problem, the call will

automatically be escalated to Vicky Hamilton, Director of Appraisal Services, ext 151. Additionally, the Client may request the call to be escalated at any time.

• SettlementOne will constantly monitor the Client’s activity. If any problem arises, SettlementOne

will contact the Client in any manner preferred.

13. DISASTER RECOVERY PLAN OUTLINE

Introduction

SettlementOne increasingly depends on its computing and telecommunications capabilities to provide services to its internal and external customers. The increasing dependency on computers and telecommunications for operational support poses the risk that a lengthy loss of these capabilities could seriously affect the overall performance of the company. A risk analysis identified several components as belonging to risk Level I, comprising those functions whose loss could cause a major impact to SettlementOne. It also categorized a majority of company functions as Essential, or Level II - requiring processing support within 24-72 hours of an outage. This risk assessment process will be repeated on a regular basis to ensure that changes to our processing and environment are reflected in recovery planning. SettlementOne Management recognizes the low probability of severe damage to computing and telecommunications environment, or support services capabilities that support SettlementOne.



Nonetheless, because of the potential impact the need for a plan to reduce the risk of damage from a disaster is vital. SettlementOne's Contingency Plan is designed to reduce the risk to an acceptable level by ensuring the restoration of critical processing within a few hours, and all essential production (Level II processing) within 24-72 hours of the outage.

Fire The threat of fire is always real and poses the highest risk factor of all the causes of disaster mentioned here. The building is built primarily of non-combustible materials and the server room has minimal combustibles within.

Preventive Measures

• Fire Alarms: The building is equipped with a fire alarm system. The server room is equipped with smoke and fire detection systems that are monitored 24x7. In addition, air conditioning and UPS environment are remotely monitored.

• Hand-held fire extinguishers are located throughout the building on all floors.

• Regular reviews of the fire procedures are conducted to insure that they are up to date.

Unannounced drills are conducted and an evaluation is done immediately after with results reviewed with the President/CEO and Director of I.T. and Administration.

• Regular inspections of the fire prevention equipment and practices are also conducted. Fire

extinguishers are periodically inspected as a standard practice. Smoke and fire detectors located in the server room are periodically inspected and cleaned.

Flood The building is not located in an area susceptible to flooding. Any water penetrating the server room can cause extensive damage. The presence of water in that room can pose a threat of electrical shock to personnel within the machine room.

Preventive Measures

• Plans are currently in place to add water detectors that can be monitored by our security system.

• Periodic inspections of the server room is conducted to detect water seepage, especially any time there is a heavy downpour.

• Appropriate Networking and Support Personnel are trained in shutdown procedures.

Tornadoes and High Winds The building is geographically located in an area not at risk of tornados or high winds.

Preventive Measures

• While a fire can be as destructive as a tornado, there are very few preventative measures that we can take for tornados. Building construction is such that it can withstand the forces of high winds.

Earthquake The threat of an earthquake is low, but is not ignored.



Preventive Measures

• The building construction is such to withstand any type of rare quake. A standby power generator is available to provide power should commercial utilities be disrupted.

• Networking and Support staff are trained on the use of the generator equipment.

Computer Crime Computer crime is a threat as systems have become more complex and access is more highly distributed. With networking technologies, more potential for improper access is present. Computer crimes can occur from external or internal sources.

Preventive Measures

• Our production systems have security and authentication practices in place to protect against unauthorized entry.

• Our systems are backed up on a periodic basis. These backups are stored off-site. Backup

schedules and procedures are documented in the technical policies and procedures documentation.

• All code changes undergo extensive testing and code review to ensure that malicious code, or

inadvertent changes are not deployed into the production environment.

• SettlementOne continues to improve security functions on all platforms. Policies and procedures are strictly enforced. Users are reminded of the importance of securing their passwords and choosing passwords that are very difficult to guess.

Terrorist Action and Sabotage Computer systems are always potential targets for terrorist actions, such as a bomb or other destructive devices.

Preventive Measures

• Good physical security is important, however, terrorist actions can occur regardless of building security. An explosive device placed next to an exterior wall of the building or server room may breach the wall and cause damage within the room.

• The building is adequately lit at night and off-hour alarm and security systems are monitored by

an off-site company. The door into the server room area is secured with a lock and only key personnel have access. We consistently maintain good physical security. Doors into the server room are locked at all times. All visitors to the machine room and building are logged in and out.

Assumptions of this Plan

No matter how many precautions are implemented and to what extent they are enforced there are no completely secure environments. The operations could be suddenly disrupted by events we have little or no control over, involving people, mechanics, electronics, or natural disasters. This Plan assumes that a catastrophic event has interrupted our production environment forcing us to utilize our secondary site in San Diego, our backup connectivity or power generator, or some other backup/failover process.

The Plan is predicated on the validity of the following three assumptions:

• The situation that causes the disaster is localized to the computer/server facility; the building or space housing the functional area; or to the communication systems and networks that support



our production environment. This Plan does not cover a general disaster, such as an earthquake, flood, or other events affecting a major portion of the area. It should be noted however, that this Plan will still be functional and effective even in an area-wide disaster. Even though the basic priorities for restoration of essential services to the community will normally take precedence over the recovery of an individual organization, SettlementOne’s Contingency Plan can still provide for a more expeditious restoration of our resources for supporting key functions.

• The Plan is based on the availability of our secondary site as described in other parts of this

document. The accessibility of this, or equivalent back-up resources, is a critical requirement. • This Plan is a document that reflects the changing environment and requirements of

SettlementOne and as such is a living document. Therefore, the Plan requires the continued allocation of resources to maintain it and to keep it in a constant state of readiness.

• The secondary site may be activated outside of a disaster scenario. This plan accounts for the use

of the secondary site for an extended period of time triggering the initiation of the plan.



Team Responsibilities

Activation of this plan will be made jointly by the Business Continuity Coordinators. All executive decisions will be made by the Director of I.T. and/or President/COO. In their absence the Business Continuity Coordinators will, to the best of their abilities make the appropriate decisions necessary to maintain an acceptable level of operation. Those types of decisions include, but not limited to;

• Sending one of the Network Administrators to the secondary site

• Reasonable budget decisions

• Customer communications (For the most part this will be limited to the Support Services

Supervisor and the Documentation/Writer)

• Setting up the production system in another facility

Technical decisions and other minor monetary decisions will be handled by the technicians working on the issue and relayed to the Business Continuity Coordinators. It is the responsibility of the Director of Information Technology and Administration, along with the Business Continuity Response Team to maintain SettlementOne's Contingency Plan and to ensure this document is maintained current and that appropriate tests are conducted in a timely and systematic manner. It is also the responsibility of the Director of Information Technology and Administration to keep the President/COO appraised of events and activities and in the absence or lack of availability of the Director of Information Technology, the Support Service Supervisor will keep the President advised. Business Continuity Response Team

In the event of a disaster, the Business Continuity Response Team provides general support for resources and tasks integral to running the specific functional area. This team requires the full and active participation of the staff members assigned to those affected functional areas. This section provides general information about the organization of recovery efforts and the role of the Business Continuity Response Team. Elsewhere in this document we describe the Business Continuity Response Team and the responsibilities of each SettlementOne Support Team in detail.

Initiation of the Plan

Scope of the Plan The object of this Plan is to restore Critical (Level I) systems immediately and Essential (Level II) systems within 2 hours of a disaster that disables any functional area and/or essential equipment supporting the systems or functions in that area. The initial Risk Assessment of the computer applications that support SettlementOne administration assigned systems to Level I Critical. This risk category identifies applications that have the highest priority and must be restored as quickly as possible. Specifically, each function of these systems was evaluated and allocated a place in one of four risk categories, as described below.



• Level I - Critical Functions Customers being able to order and/or receive an appraisal.

• Level II - Essential Functions Access to previously ordered appraisals.

• Level III - Desirable Functions Management Reports

Resources Used in Recovery In the event of a disaster, the kit will be used to recover any lost functionality.

DR kit contents: • Procedures • Disks for configuring servers • Latest application configuration • Minimum hardware, environment and application requirements • How to procure equipment and fuel • How to locate a facility for the production system

Determining the Level of Disaster

• Level 1: lost the ability to run production from the primary and secondary site and no equipment,

connectivity or building space is available to you

• Level 2: lost the ability to run production from the primary and secondary site, but equipment is available to transport and set up shop somewhere else because connectivity is lost

• Level 3: corrupt or missing data that causes both sites to have to shut down

• Level 4: lost the ability to run production from the primary site and are running for an extended period of time on the secondary site

• Level 5: lost equipment on the primary site that needs to be restored while running production

on the secondary site

• Level 6: corrupt or missing data that causes the primary data servers to be unavailable and the emergency data server is being used or production is being run from the backup site during restore



Prioritizing and Restoring Services Below is a list of services supporting the functionality defined in the scope subsection of this section in the order of importance to make sure it is available. Consider that generator power is restored power and open air cooling is restored cooling if no other is available. The goal here is to make sure that the bare needs of each of the items below are met. Equipment

Using the hardware requirements sheet in the D/R kit, determine if you have enough equipment. If you do not, use the How to Procure Equipment document to obtain the equipment you don’t have available. Once you have a track for that, choose the application that needs to be focused on and determine which servers will serve appropriate functions. After mapping it out, configure each of the devices to serve their functions and restore necessary data.

Power

Using the Environment Requirements document, determine if you have necessary power to support the production system equipment you will be using. If not or if you are setting up shop at a remote location, verify that where you are moving the production system to has that available power. At the primary facility, generator power should be available. Use the procedure in the How to Procure Equipment document to obtain fuel. Connectivity

Using the Environment Requirements document, determine if you have the necessary connectivity to support the production system services you will be using. If not or if you are setting up shop at a remote location, verify that where you are moving the production system to has the necessary bandwidth capacity.

Cooling

Using the Environment Requirements document, determine if you have the necessary cooling capacity to support the production system equipment you will be using. This does not necessarily mean that a cooler has to be brought in, but it does mean that you have to have the ability to keep the servers within operating temperature. This becomes an issue if a lot of servers are being used.

IIS

IIS needs to be brought up quickly in order to have a site presence. A basic site should be brought up to inform customers that we are working on the issue. Beyond this, the IIS box will be the last functionality to be restored. You should focus on the data first, and then the com boxes, and then come back to IIS to configure the application on it.



Data

Determine if data server functionality is good to go. Can you access the data you need on the data server? If you are building a data server from the ground up, use the Build a Box procedures to configure the machine. Then use a backup device to restore the required data to run this application.

Com

Determine if com server functionality is up and running. Depending on the application, you may need more than one com server in order to support the application’s functionality. If you are building a com server from the ground up, use the Build a Box procedures to configure the machine.

Disaster Response

This section describes six required responses to a disaster, or to a problem that could evolve into a disaster:

Detect and determine a disaster condition

Notify persons responsible for recovery

Initiate the SettlementOne's Business Continuity Plan

Activate the designated hot site

Disseminate public information as needed

Provide support services to aid recovery

Each subsection below identifies the organization(s) and/or position(s) responsible for each of these six responses

Disaster Detection and Determination

The detection of an event which could result in a disaster affecting information processing systems at SettlementOne is the responsibility of the Support Department.

Disaster Notification

The Support Department will follow existing procedures and notify the Business Continuity Coordinators and Director of I.T.

Activation of the Secondary Site The responsibility for activation of the secondary site is delegated to the Business Continuity Coordinators.

Dissemination of Public Information

The President/COO and Director of Information Technology/Administration are responsible for directing all meetings and discussions with the news media and the public, and in conjunction with the Human Resource Department.



Post Plan Initiation Assessment

Documentation During the outage, notes will be taken by the Business Continuity Response Team stating actions taken and the times they occurred.

Review After initiation of the plan and the initial actions have been taken, the Business Continuity Response Team will gather and compare notes to determine the current status of the issue and review the effectiveness of actions taken.

Modify Actions if Needed If the review process determines that other action needs to be taken, it will be implemented by the appropriate member of the Business Continuity Response Team.

Make Modifications to Current Procedures Any modifications that need to be made to guidelines and procedures in the Plan will be made and communicated to the Team to ensure everyone understands the current course of action.

Maintenance of the Plan

Plan Maintenance The plan will be evaluated once each year. All portions of the plan will be reviewed and analyzed by the Business Continuity Response Team. In addition the plan will be tested on a regular basis and any faults will be corrected. The Director of Information Technology has the responsibility of overseeing the individual documents and files and ensuring that they meet standards and consistent with the rest of the plan.

Change Driven Maintenance It is inevitable in the changing environment of the computer industry that this Plan will become outdated and unusable unless someone keeps it up to date. Changes that will likely affect the plan fall into several categories:

• Hardware changes

• Software changes

• Facility changes

• Procedural changes

• Personnel changes

• Application growth

As changes occur in any of the areas mentioned above, management will determine if changes to the plan are necessary. Changes that affect the platform recovery portions of the plan will be made by the staff in the affected area. After the changes have been made, the I.T. Director will be advised that the updated documents are available. They will incorporate the changes into the body of the plan and distribute as required.



Changes Requiring Plan Maintenance The following lists some of the types of changes that may require revisions to the disaster recovery plan. Any change that can potentially affect whether the plan can be used to successfully restore the operations of the department's computer and network systems should be reflected in the plan.

Hardware

• Additions, deletions, or upgrades to hardware platforms

Software

• Additions, deletions, or upgrades to system software

• Changes to system configuration

• Changes to applications software affected by the plan

Facilities

• Changes that affect the availability/usability of the Secondary Site location

Personnel

• Changes to personnel identified by name in the plan • Changes to organizational structure of the department

Procedural

• Changes to off-site backup procedures, locations, etc. • Changes to application backups • Changes to vendor lists maintained for acquisition and support purposes

Application Growth

• Changes to application usage • Changes to application configuration causing increased resource consumption



Maintenance Ensuring that this plan reflects ongoing changes to resources is crucial. This task includes updating the plan and revising this document to reflect updates; testing the updated plan; and training personnel. The Business Continuity Response Team members are responsible for this comprehensive maintenance task. Quarterly, the Director of Information Technology and Administration ensures that the plan undergoes a more formal review to confirm the incorporation of any changes since the prior quarter. Annually, the Director of Information Technology and Administration initiates a complete review of the Plan, which could result in major revisions to this document. These revisions will be distributed to all appropriate personnel.

Testing Testing the Business Continuity Plan is an essential element of preparedness. Partial tests of individual components and recovery plans will be carried out on a regular basis by the Support Services Supervisor and Production Systems Specialist. A comprehensive exercise of our continuity capabilities and support by our designated recovery facilities will be performed on an annual basis.



15. APPENDIX B - SAS70 - STYLE THIRD-PARTY AUDIT

Please refer to attached Exhibit A of the Business Requirement Package.

16. APPENDIX C - SETTLEMENTONE OBSERVED HOLIDAYS

SettlementOne

New Year's Day

Memorial Day

Independence Day

Labor Day

Thanksgiving Day

Christmas Day

16. APPENDIX D - DEFINITION OF TERMS

ID No. Term Definition

1. Production Environment All SettlementOne architecture, network, application, and infrastructure components necessary to provide the Client access or connection to successfully order Appraisals with SettlementOne.

2. Processing Turnaround Time The time interval between the request entering SettlementOne’s system architecture and the corresponding response leaving SettlementOne’s system architecture.

3. EE1 Code for specifying first Exception Event threshold whereby an error response is received in lieu of requested appraisal information

4. Required Response Time Time interval from when SettlementOne first becomes aware of a service level event and subsequently notifies the Support Team (or Requestor for Severity Level 4 events)

5. Target Resolution Time Time interval from when SettlementOne first becomes aware of a service level event and subsequently resolves the problem (i.e. implements a permanent solution)