CYPRUS: Compliance of the technical requirements and specifications of Cyprus Sports Organisation (CSO) Fan Card Registry System

05.12.2022

Cyprus Sports Organisation (CSO) is a semi-public Organisation and is recognized as the Supreme Authority in the Republic of Cyprus for extracurricular sports. Within the framework of its responsibilities and obligations under the National Legislation, CSO has announced a tender procedure for the development, maintenance and support of a new management system for the Central Registry of Fan Card Holders and provision of infrastructure as a service.

The scope of our audit was the compliance of the tender documents as well as the technical requirements of the system. Our main findings and recommendations included.

a) Extra charges for out of hours technical support

The Organisation has identified that the timeframe excluded from normal daily working hours is between 17:00-24:00 on work days, and 08:00 – 24:00 on weekends and public holidays. Any kind of support requested during those timeframes will be considered as extra and will be paid from an additional budget.

According to official game program for Cyprus First Division Football Championship for 2022/23 season, which defines most of the games where only Fan Card holders can attend, a great percentage of game dates and hours are outside normal daily timeframe.

Taking into consideration that these are the most popular sporting events we can assume that new Fan Cards, data updates and processing requests for the system will be higher closer to those dates, thus system availability is of higher importance in those dates.

Therefore, we recommended that these timeframes should not be considered as extra and charged on different rate, and be rather identified as crucial to operations and treated as such.

 

b) Recovery Time Objective (RTO) – Recovery Point Objective (RPO)

The tender documents define that the successful Contractor is responsible for the systems backup strategy which includes backup creation frequency, recovery procedure testing frequency, the recovery time objective (RTO) and recovery point objective (RPO) after a disaster.

Although the Organization has defined for the system infrastructure RTO of less than 2 hours and RPO of less than 4 hours, the same is not requested for the data being retained.

It is our opinion that RPO and RPO requirements are the responsibility of the Organization, therefore it should conduct a risk analysis study and define its Business Continuity Plan. The outcomes should be reflected in the technical specifications in the tender documents.

 

c) Testing process

It is requested that system tests will be conducted using data from the latest backup of the system to be replaced. The Organisation should consider that the data stored for Fan Card holders, by the Regulation (EU) 2016/679 (GDPR) contain personal data and as such should be treated accordingly. Therefore, the Organization should take into consideration that access to personal data be limited on a need-to-know basis, which may conflict with the testing process.

We recommended that any data used in testing procedures or exposed to unauthorized personnel should pass through an obfuscation process, making them unable to be identified.

 

d) Multifactor Authentication

The system requirements state that Fan Cards created through CSO’s website will require authentication from the user via email and OTP code. The process of creating a new Fan Card via CSO’s staff, states that this authentication process is omitted.

Our opinion is that the authentication process, is not only a mean for verifying user data but also a way of approving access to the user therefore the authentication process should be enforced at all circumstances. Specifically, in the process of creating a new Fan Card, every application should be accompanied by the user’s approval.

 

e) Numbering

The system requirements define that Fan Card numbers should be unique and sequential.

Our opinion is that sequential numbering is a potential mean of indirect identification of the card owner, which is prohibited by GDPR and therefore should be avoided.

 

f) Manual entry

It is required that, in cases of scanner processing malfunctions of Fan Cards by internal users, there should be functionality to manually enter the required data.

Our recommendation is that, in all processing cases, user approval should be required.