Ocwen
OTX Process Controls
Sarbanes Oxley 404 Assessment
Network Operations Process Controls 2004
OBJECTIVES 1
END OF DAY ESCALATION AND SUPPORT (REALSERVICING) 2
CONTROL DOCUMENT END OF DAY (REAL SERVICING) 3
PROPOSED END OF DAY ESCALATION AND SUPPORT (REALSERVICING) 5
GAP ANALYSIS END OF DAY (REAL SERVICING) 6
GAP ANALYSIS SDLC MODEL FOR REAL SUITE (SERVICING, TRANS, MORTGAGE) 7
SLA METRICS CRITICAL APPLICATIONS 8
UPTIME/DOWNTIME OF SLA APPLICATIONS 8
GLOBAL INTERNET ROUTER GROUP 8
WAN US/INDIA 9
SERVICE LEVEL AGREEMENT 10
PURPOSE 10
Key Applications/Systems 10
Necessary Applications/Systems 10
SCOPE OF SERVICES 11
DEFINITION OF WHAT IS BEING MEASURED 11
ACCEPTABLE RANGE OF SERVICE {AVAILABILITY, PERFORMANCE & QUALITY} 11
FREQUENCY AND INTERVAL OF MEASUREMENT 13
FACTORS EFFECTING SLA METRICS 15
A change occurs to the Real Suite of Applications 84.5% of the business week. 15
SERVER IMPLEMENTATION 16
PROPOSED OPERATIONS SERVER IMPLEMENTATION PROFILE 17
CONTROL DOCUMENT SERVER IMPLEMENTATION 18
GAP ANALYSIS SERVER IMPLEMENTATION 19
WORKSTATION IMPLEMENTATION 20
CONTROL DOCUMENT WORKSTATION IMPLEMENTATION 21
GAP ANALYSIS WORKSTATION IMPLEMENTATION 22
INFORMATION SECURITY INCIDENT RESPONSE 23
CONTROL DOCUMENT INCIDENT RESPONSE 24
GAP ANALYSIS INCIDENT RESPONSE 25
Network Operations Process Controls
Assessment and critical process review for Ocwen OTX
Objectives
Ocwen Technology Xchange (OTX) delivers process driven technology solutions to the real estate and mortgage banking industries, enabling users to increase operating efficiencies, reduce overall costs and enhance revenue streams. Executive Management has identified keys areas inside of Network Operations that require process reviews. This process review is in preparation for the full Sarbanes Oxley 404 assessment. The objective of this project is to identify these processes and document the current steps in these processes. In addition, to identify areas of weakness and strengths and to make recommendations to these process to improve the overall work flow of the network operations environment.
The overall Information Technology Infrastructure is poorly managed and maintained. A review should be performed of the overall skill sets of those managers and executives who provide direction and focus. Many of the most basic areas that were reviewed were lacking fundamental controls.
A total of 38 separate projects have been identified inside the Ocwen Information Technology infrastructure that can be considered material weaknesses. These projects have been provided in separate SOW to the CIO.
The following areas will be reviewed.
1.) End of Day Support and Escalation Process.
2.) SDLC System Patch Real Servicing
3.) SDLC System Update Real Servicing.
4.) Server Implementation.
5.) Workstation Implementation.
6.) SLA Metrics Critical Applications
7.) SLA Metrics WAN
8.) Network Monitoring.
9.) Incident Response.
10.) Network Management.
11.) Network Documentation.
12.) D&R Planning.
13.) Information Security Incident Response
14.) COSO Scale
15.) Ocwen overall recommendations
End of Day Escalation and Support (RealServicing)
Control Document End of Day (Real Servicing)
Sarbanes Oxley Control Sheet
REAL Servicing Ver 1.0 Date Modified 02/04/04
Prepared by: Richard Block
Step Formal Informal Detail Report Created Weakness
1. Issue reported to Help Desk X User contacts Help Desk to report an issue with Real Servicing
3. Help desk assigns ticket to the Support Q for correct person. X Help Desk may not correctly assign ticket to correct Q
4. User Training takes places. This is a very informal process. The Help Desk attempts to perform base training via telephone. If this is not sufficient then it is turned over to the department as an internal issue.
5. Help Desk performs basic analysis to determine what support Q it should be assigned to. X Help Desk lacks the skill sets to correctly identify the right support path. Process is not always followed
6 Operations begins a manual escalation process X No defined time frames for escalation. Key users are not notified. List is outdated and no process is defined for contacting departments.
7. Database group resolves issue X It appears that no other group is assigned the Real Servicing issue.
8. Help Desk Notifies Operations the issue has been resolved. X
9. Help Desk closes ticket X
6 Help Desk sends notification that ticket has been closed. X
Proposed End of Day Escalation and Support (RealServicing)
Gap Analysis End of Day (Real Servicing)
Many areas of End of Day process have significant weaknesses. The lack of documentation of the overall process is first and foremost. There is almost no documented steps to this complex and evolved IT (information Technology) procedure.
Listed here is several of the many material weakness identified in the process.
1.) No documentation of the wire transfers and other input sources. This total amount may exceed $100,000,000 per day in transactions.
2.) There is no clear documented chain for roles and responsibilities. i.e. the operations staff has no clear definition of who they report to. When a problem occurs with this process there is no formal contact process or escalation procedure.
3.) Interviews with the CIO, CFO and Director of Network Operations show that no formal controls exist that show validation of $ amounts input and $ amount submitted to the G/L. The CIO admitted to a bucket of money in and a bucket out that has no formal and few informal controls.
4.) There is no documented SDLC, there is no plan to create a ISO 9000 standard for maintaining the current real suite of applications that are used to support inputs into the end of day process.
5.) No documentation is available that shows what scripts i.e pearl, C or C++ are run to start, check, verify and complete the end of day process.
6.) No data was presented or documentation found that validated that any IT process exists or was created to show the accuracy of End of Day. This means that errors could occur that have no controls and could overcharge or undercharge $ between debit and credit applications and shows losses or gains in the millions of dollars.
Based on the failure of these basic control sets with this process this report recommends that Ocwen initiate an overall documentation and review process to clearly define what End of Day is and how to streamline the process.
A separate SOW will be submitted for review to address the specific complexities of the project.
Gap Analysis SDLC Model for Real Suite (Servicing, Trans, Mortgage)
OTX has out sourced its software development to India. Currently India uses the Waterfall Model for software development. This model has many failing identified below, in addition to these issues Ocwen has an extremely high failure rate with these applications. RealServicing experienced over 30% downtime during normal production hours in 2003.
The current Trouble Ticket system shows over 7000 tickets opened in 12 months on the RealServicing suite of applications.
WhatsUp Gold 1 year data analysis/
SLA Applications
Outage *Total Min Downtime % 1 year period Uptime % 1 year period
Device
CMS 1567 1.73 98.27
Data Warehouse 1192 1.31 98.69
G Drive 1445 1.59 98.41
Excahnge IMAP4 7954 8.77 91.23
Device Downtime 1399 1.54 98.46
FACS Telnet Server 18876 20.81 79.19
Device Downtime 15456 17.04 82.96
*Real Servicing 29876 32.93 67.07
*Real Synergy 26541 29.26 70.74
*Real Trans 24567 27.08 72.92
Total & Averages 127306 15.61 84.39
Waterfall Model
The least flexible and most obsolete of the life cycle models. Well suited to projects that has low risk in the areas of user interface and performance requirements, but high risk in budget and schedule predictability and control.
There have been a number of criticisms of the standard waterfall model, including
1. Problems are not discovered until system testing.
2. Requirements must be fixed before the system is designed - requirements evolution makes the development method unstable.
3. Design and code work often turn up requirements inconsistencies, missing system components, and unexpected development needs.
4. System performance cannot be tested until the system is almost coded; undercapacity may be difficult to correct.
5. The standard waterfall model is associated with the failure or cancellation of a number of large systems. It can also be very expensive. As a result, the software development community has experimented with a number of alternative approaches.
6. Real projects rarely follow the sequential flow that the model proposes.
7. At the beginning of most projects there is often a great deal of uncertainty about requirements and goals, and it is therefore difficult for customers to identify these criteria on a detailed level. The model does not accommodate this natural uncertainty very well.
8. Developing a system using the Waterfall Model can be a long, painstaking process that does not yield a working version of the system until late in the process.
The standard waterfall model for systems development is an approach that goes through following steps
1. Document System Concept
2. Identify System Requirements and Analyze Them
3. Break the System into Pieces (Architectural Design)
4. Design Each Piece (Detailed Design)
5. Code the System Components and Test Them Individually (Coding, Debugging, and Unit Testing)
6. Integrate the Pieces and Test the System (System Testing)
7. Deploy the System and Operate It
Conclusions:
Based on a detailed assessment of all data from the sources documented above it is the option of this report that this is a Material Weakness and directly impacts the reliability and accuracy of finical transactions submitted to Ocwen's G/L.
Based on the guidelines established in Sarbanes Oxley, and the methodology from CoBit Ocwen must establish a remediation process to address this issue or disclose this as a Material Weakness.
SLA Metrics Critical Applications
Uptime/Downtime of SLA Applications
Whats Up Gold is currently being used to monitor the availability of critical applications. These apps have been defined by the business units as NEED TO HAVE to perform their critical functions. The Business Units in conjunction with the Network Operations department have developed a SLA to establish these guidelines for uptimes and availability.
Global Internet Router Group
WAN US/INDIA
SERVICE LEVEL AGREEMENT
Purpose
This agreement dated February 15, 2002 between Ocwen Technology Xchange (Vendor) and Ocwen Federal Bank FSB (Customer) outlines the service level roles, responsibilities and objectives of Vendor and Customer in support of the Information Technology Applications and Systems (Systems) utilized by Customer and defined as:
Critical Applications/Systems
1. REALServicing loan servicing system
2. Mortgage Vision & Image Express document imaging system
3. PAM for Mortgages Commercial loan servicing system
4. REALSynergyTM New Commercial loan servicing system (Parallel-August 2002, LIVE October 2002)
Key Applications/Systems
5. FACS unsecured collection & servicing system
6. Investor Reporting Data Mart investor reporting & reconciliation system
7. Ocwen Web Site (General Information, Customer Service Area, REO)
8. Investor Reporting Web Site
9. Collateral Management System (CMS) document control system
10. Infinium accounting, purchasing and accounts payable system
11. Loan Resolution Workstation default servicing system
12. REO Module real estate management system
13. Davox automated dialing system
14. IVR call center interactive voice response system
15. REALTrans
16. Order Tracking and EDI Gateway
17. IMAP Default/Asset Management tracking system
18. CLS Construction Loan Servicing system
19. YARDI Property Management System
20. VIPER Automated Pricing Model
21. CADDI Due Diligence Model
Necessary Applications/Systems
22. Data Warehouse data repository for EOD & EOM
23. Microsoft Business Suite Outlook, Word, Excel, Access & PowerPoint
24. Network Drives all drives associated with systems, applications and data storage
25. Lasertec check printing application
26. Speedpay - automated check payment system
27. FiServ -- DDA servicing system
28. Spyview
29. ENCORE Direct link to all Bank of America accounts
30. BOA Direct On-line Banking with Bank of America
31. Wires 97/ALF In-house wire generation/tracking software
32. Crystal Reports Reporting Tool
Scope of Services
Vendor will manage and operate all hardware and software necessary to ensure all defined Systems are available and operational to Customer during defined times.
Definition of what is being measured
Available - will be measured as the percentage of minutes per day that all Systems are functional and operational during the following hours:
Zone A' - WPB, Orlando & India 2nd shift {4,785 minutes per week}
Monday through Thursday (7:30 a.m. 11:00 p.m. EST)
Friday (7:30 a.m. 8:00 p.m. EST)
Saturday (7:30 a.m. 2:30 p.m. EST)
Sunday (3:00 p.m. 10:00 p.m. EST)
Zone B' - India Standard shift {2,020 minutes per week}
Sunday (10:00 p.m. 6:00 a.m. EST)
Monday through Thursday (11:00 p.m. - 6:00 a.m. EST)
If a system is operational but cannot be accessed because of a Telecom or Citrix failure, the system is deemed to be DOWN.
Critical Systems on the first calendar day of each month will have a start time of 9:00 a.m. (excluding Pam for Mortgages and REALSynergy)
Systems 6', 9', 10', 11', 12', 22' on the first calendar day of each month will have a start time of 2:00 p.m.
Performance will be measured by the processing speed and screen refreshing speed that is normal and customary within the Customer's day-to-day business activity.
Quality will be defined as acceptable:
If no more than five (5) of Customer's end-users are not able to use the systems as identified and defined under Availability and Performance, and
All information contained within respective Systems is current, and
All information contained within respective Systems is accurate.
Acceptable Range of Service {Availability, Performance & Quality}
Zone A'
Component SLA Level Relative Weight
Critical Systems 99% 60%
Key Systems 98.5% 30%
Needed Systems 98% 10%
Zone B'
Component SLA Level Relative Weight
Critical Systems* 98% 60%
Key Systems 97.5% 30%
Needed Systems 97% 10%
* Three hundred minutes will be excluded from the calculation for the Critical Systems each week because Vendor must recycle the Mortgage Vision Database.
Response Time to Unavailable System
Vendor must respond appropriately for each System when a system is not available. Vendor must respond with an available trained technician to begin analysis on the affected System. Vendor response time will be within acceptable service levels if the technician is on-site and begins the scope analysis within:
Critical Systems - Ten Minutes (10)
Key Systems - Twenty Minutes (20)
Needed Systems - Thirty Minutes (30)
Frequency and Interval of Measurement
Vendor shall measure the Systems daily. Vendor shall submit monitoring reports to Customer BI-weekly. Reports shall be delivered via e-mail by end of day Monday EST for the prior two week period ending same-day Monday 6:00 p.m. EST. The E-mail Distribution List for Customer shall include:
R. M. Faris
A. J. Castner
S. P. Conradson
S. W. Anderson
M. A. Rotundo
R. N. Pruett
W.B. Shepro
D.A. Winslow
Additional Responsibilities
Vendor assumes responsibility for notifying Customer immediately after beginning problem resolution procedures upon having actual knowledge that a System(s) is or will be:
1. Not Available
2. A Performance issue
3. A problem with Quality
Guidelines
All changes or amendments to this Agreement must be made and agreed to in writing. Authorized representatives of Vendor and Customer must mutually agree upon changes to this Agreement.
Agreed to and acknowledged this __ day of _________, 2002.
Ocwen Federal Bank FSB Ocwen Technology Xchange
______________________ ______________________
By: By:
Its: Its:
Factors Effecting SLA Metrics
A review of the CCB requests for the Real Suit of Applications show the following.
A total of 214 changes were requested to be performed on the Real Suite of applications from 01/01/03 to 12/31/03 out of 259 business days.
A change occurs to the Real Suite of Applications 84.5% of the business week.
Application Number of Changes % per application
Real Servicing 94 43.9%
REAL Trans 66 30.8%
REALSAMM 30 14.0%
REAL Portal 8 3.3%
Real Doc 7 3.3%
Real Synergy 6 2.8%
REAL Vision 2 .8%
Real Resolution 1 .4%
This set of applications is currently in what is defined as the Maintenance Mode of a System SDLC. It is strongly recommended that Ocwen adopt a newer methodology for software maintenance such as an incremental mode. This will ensure that system issues are more quickly identified and resolved.
Server Implementation
OTX has defined a production server checklist which includes the following items the major weakness with these policies is that none are currently in place. Servers are purchased without IT involvement and vendor interaction.
Proposed Operations Server Implementation Profile
1. general applications description
2. business requirement overview/scope
3. statement of work
4. Project plan which includes: procurement cycle, implementation cycle, tuning cycle
5. total traffic volume expected in bytes (incl min-max levels)
6. traffic profile (time-of-day histogram)
7. network & applications process diagrams
8. systems & IP addresses
9. VPN, firewall, DMZ, and other security considerations
10. monitoring point(s), tool(s), method(s)
11. normal OTX operator procedures
12. operator (or other) interventions required, if any
13. contact list with Ocwen and user/customer phones/pagers
14. abnormal/fault conditions expected w/remedial & escalation procedures
15. expected dates of: pilot, testing, production, post-implementation tuning
16. equipment (servers, switches, routers, etc.) provided by OTX or third party
17. circuits (a.) to be provided by OTX (b.) to be coordinated w/third party
18. domain-name acquisition and administration
19. SLA requirements (incl. capacity, performance)
20. Hours of operational availability
21. Total number of users & users/seats per shift
22. User profiles
23. User support, help desk, & ticket-tracking tool(s)
24. Required redundancy (network & systems)
25. DR considerations
26. Citrix considerations & certification(s), if applicable
27. voice requirements
28. Sign-off from BU
29. Sign-off from Architecture group
30. Sign-off from Operations
31. Sign-off from CIO
32. any other specifications or consideration(s)
Gap Analysis Server Implementation
Currently there is no approved guidelines for File Server implementation at Ocwen. The proposed list provided by Steve Fritts address the major components of a Network Server installation.
Workstation Implementation
Gap Analysis Workstation Implementation
Currently there is no approved process for workstation implementation. It is recommended at this time that the company create a basic checklist for a workstation install that should include.
PC Workstations
Central Processor: Intel Pentium 133MHz or higher
Random Access Memory: 256MB; 384MB for Power Users and/or Office 97
Diskette Drive: 31/2" 1.44MB diskette drive
Hard Disk Drive: At least 700MB available
CD-ROM Drive: Must be MPC3 compliant or higher and installed as a local drive - not mapped
Operating System: Windows 98, Windows NT4.0 Workstation, or Windows 2000/XP Professional (and Office 97 or higher, optional) Current Service Pack determined by Network Operations.
NOTE: Each workstation must be a clean OS installation, not an upgrade from a previous operating system. No dual-boot operating system installations.
Multimedia:
Software:
Speakers or headset, sound card, SVGA monitor and graphics card with minimum of 1MB memory, and display set to High Color (16 bit).
Each workstation will have installed and configured, MS Office XP Professional, Visio, App1, App2,App4, MS Outlook 2000.
Information Security Incident Response
Gap Analysis Incident Response
This assessment was not the focus on the companies network infrastructure. However based on the general overview performed in preparation for this assessment the following are areas that may be considered areas of exposure.
Desktop Environment
1) This operating system has numerous documented security flaws and exposures. This should be considered a HIGH-RISK issue. A new desktop such as 2000 is strongly recommended.
Network Environment
2) Router IOS standardization.
3) SNMP standardization of all compatible devices.
4) Bandwidth Monitoring.
5) D&R Plan.
6) Fail-over
7) Network Redundancy.
8) Staffing: The current operations department is currently understaffed and does have the resources at this time to create and maintain the process and procedures required for a complex data center environment that A Company has. The existing staff is working more hours that can be maintained for a sustained period of time and loss of essential personnel is possible if not addressed. Based on an ongoing analysis the following staff recommendations are being submitted.
9) Unix System administrator: To provide additional support for tape backups, End of Day process and day to day operations. Currently on person fills this role and is working more than 60 hrs per week.
10) Supervisors/Managers: A change needs to occur to affect the global operations structure to determine the effectiveness and allocations of supervisor and managers. Project Based work recommended based on this analysis.
11) Network Operations Handbook with policies and procedures development. This project would entail two people for a 10-12 week period to create a standard set of policies and procedures needed to standardize the operations environment.
Information Security
1) Numerous port scans, workstation changes and DNS modifications were performed on internal servers and other workstations and the workstation used to complete this project. With no alarms or investigation being detected.
2) External port scanning was also unreported.
3) Human Engineering allowed creation of userid for the network without authorization Allen Hogan userid Hogana password welcome2ocn.
4) Internet Proxy settings were circumvented and access to various sites was gained.
5) Internet Proxy settings were circumvented downloads of various port scanners and network-mapping tools were successful.
6) Potential Data Miners accessing PC via web sites. A new form of exploit where a potential exists that workstation data can be sent via visit to a web site through data miners. Scan of workstation used for this project.
Doubleclick Cookie:C:\WINDOWS\Profiles\block\Cookies\block@doubleclick[1].txt
Gator Cookie:C:\WINDOWS\Profiles\block\Cookies\block@gator[1].txt
atdmt Cookie:C:\WINDOWS\Profiles\block\Cookies\block@atdmt[2].txt
xxx Cookie:C:\WINDOWS\Profiles\block\Cookies\block@xxxtoolbar[1].txt
ValueClick Cookie:C:\WINDOWS\Profiles\block\Cookies\block@valueclick[1].txt
centrport Cookie:C:\WINDOWS\Profiles\block\Cookies\block@centrport[1].txt
hitbox Cookie:C:\WINDOWS\Profiles\block\Cookies\block@hitbox[2].txt
hitbox Cookie:C:\WINDOWS\Profiles\block\Cookies\
[email protected][1].txt
hitbox Cookie:C:\WINDOWS\Profiles\block\Cookies\
[email protected][2].txt
hitslink Cookie:C:\WINDOWS\Profiles\block\Cookies\
[email protected][1].txt
alliance Cookie:C:\WINDOWS\Profiles\block\Cookies\block@healthalliancecny[1].txt
mediaplex Cookie:C:\WINDOWS\Profiles\block\Cookies\block@mediaplex[1].txt
qksrv Cookie:C:\WINDOWS\Profiles\block\Cookies\block@qksrv[2].txt
etype Cookie:C:\WINDOWS\Profiles\block\Cookies\
[email protected][2].txt
adbureau Cookie:C:\WINDOWS\Profiles\block\Cookies\
[email protected][2].txt
hitbox Cookie:C:\WINDOWS\Profiles\block\Cookies\
[email protected][2].txt
advertising Cookie:C:\WINDOWS\Profiles\block\Cookies\block@advertising[2].txt
bfast Cookie:C:\WINDOWS\Profiles\block\Cookies\block@bfast[1].txt
FastClick Cookie:C:\WINDOWS\Profiles\block\Cookies\block@fastclick[1].txt
bluestreak Cookie:C:\WINDOWS\Profiles\block\Cookies\block@bluestreak[2].txt
S005 Cookie:C:\WINDOWS\Profiles\block\Cookies\block@S005-01-4-6-238055-65674[2].txt
advertising Cookie:C:\WINDOWS\Profiles\block\Cookies\
[email protected][2].txt
Track Cookie:C:\WINDOWS\Profiles\block\Cookies\
[email protected][2].txt
Cookie scan results:
Suspicious cookies found: 23
Scan complete
The Gator cookie is highlighted, this application is notorious for installing in the background and not providing a un-install option. It has the ability to send data to a site with the users authorization or knowledge.
7) Rules based systems such as those in place at A Company are only as effective as the engineers monitoring the real time results. If a malicious user or hacker understands the basis for the rules, security can be easily circumvented. By reviewing the rules currently implemented and modifying them to take this into account and in conjunction with developing the monitoring staff awareness this will greatly reduce any exposure.
Project Based work, hire a third party for penetration testing to establish baseline security. Review analysis and results and adjust environment
Ratings for Control Sheets
COSO Category Summary of High Priority Issues (control weaknesses):
4 Current ICMA (Internal Control Maturity Assessment) Level Rating
4 Targeted ICMA (Internal Control Maturity Assessment) Level Rating
Summary of PwC's ICMA Levels (Internal Control Maturity Assessment):
Level 1 Unreliable: Unpredictable environment where control activities are not designed or in place.
Level 2 Informal: Control activities are designed and in place but not adequately documented. Controls mostly dependent on people. No formal training or communication of controls.
Level 3 Standardized: Control activities are designed, in place and are adequately documented and communicated to employees. Deviations from controls may not be detected. This is the minimal targeted acceptable standard.
Level 4 Monitored: Standardized controls with periodic testing for effective design and operation with reporting to management. Automation and tools may be used in a limited way to support controls.
Level 5 Optimized: Integrated internal controls with real time monitoring by management and continuous improvement (Enterprise-Wide Risk Management). Automation and tools are used to support controls and allow the organization to make rapid changes to controls i
Based on the review performed at Ocwen a rating of .4 given to Ocwen overall maturity within IT.
Eric
Kansas City, Missouri
U.S.A.
Click here to read other Rip Off Reports on OCWEN Federal Bank Financial Services