ENSURING INFORMATION SECURITY IN PUBLIC ORGANIZATIONS IN THE REPUBLIC OF MOLDOVA THROUGH THE ISO 27001 STANDARD

. Data protection in public organizations in the Republic of Moldova (RM) is ensured by implementing mandatory cyber security controls (MCSR) adopted by the Government. In order to analyze the completeness of the controls, a comparative study was conducted between MCSR and the cyber security standard ISO 27001. The intention to comply with international cyber security standards is reflected in the Strategy on Information Security in the RM for 2019-2024. Compliance with national cyber security controls to international standards will ensure the security of the organization's data and resources by implementing effective, time-verified security controls. Another benefit is the confidence of foreign partners in public organizations of the country, because there will be guarantees that the data provided is confidential, complete and available. It is very important to increase the number of public organizations, certified with the ISO 27001 standard in Moldova in order to ensure the level of compliance with international cyber security requirements. The gap method, which was used in this study, measures the completeness of the MCSR, which is mandatory for public institutions in the Republic of Moldova, compared to the international standard ISO 27001. Based on the results obtained, a series of recommendations were developed which include: the creation of information security management systems (ISMS); performing internal and external audit of systems to meet trends; alignment of the MCSR, issued by the Government of the Republic of Moldova to the security controls of the ISO 27001 standard. It is very important to ensure an acceptable level of cyber security in public institutions in the Republic of Moldova, therefore implementation and certification with international standards is mandatory.


Introduction
In the new global conditions, the need to ensure information security is growing, in the context of the massive migration of data from different organizations in the virtual space. The impact of the Covid-19 epidemic has significantly influenced organizations, which use ICT technologies in their work, as more companies have started to operate remotely and the vulnerability of data increases. The complexity of the data management process has increased considerably, thus ensuring data security is an ongoing challenge for ICT specialists.
To meet the new challenges, organizations need certification based on international information security standards, which contain procedures, methods and tools, capable, as a whole, of ensuring data security.
According to the annual report on monitoring the evolution of the global information society "Measuring the information society 2017", launched by the International Telecommunication Union, the Republic of Moldova ranks 59th out of 176 countries in the ranking. At European level, the Republic of Moldova has advanced compared to the global and regional average, being among the top 10 countries with the most dynamic developments in the world [1].
Under these conditions, the Information Security Strategy will be implemented in the period 2019-2024, which aims to increase information security at the state level, by achieving specific objectives in the field. Adapting national security controls to international security standards will undoubtedly increase electronic security, but also the confidence of foreign partners.
Currently, within the international cyber security standards of the ISO 27000 suite, certification is achieved through the ISO 27001 standard, which certifies the compliance of organizations with the provisions of this standard and the creation of Information Security Management System (ISMS), to ensure IT security [2]. Thus, ISMS allow the implementation of a complex mechanism that determines the security areas of organizations, sets objectives and determines controls, which will increase the credibility of both business partners and their own employees.
According to Decision no. 201 of 28.03.2017 of the Government of the Republic of Moldova [3], on the approval and implementation of mandatory minimum requirements for cyber security (MCSR) for all public institutions, in which the ministry or other central administrative authority is a founder, are required to implement the minimum requirements mentioned above.
The purpose of the research is to identify the degree of compliance of the requirements mentioned in Government Decision (GD) 201/2017, with the international security standard ISO 27001, on the approval of mandatory minimum requirements for cyber security, level 1 (use of ICT in the institution).

ISO/IEC 27001:2013
ISO 27001 is the international standard that allows the implementation of ISMS. The specifications of the ISO 27001 standard allow the protection of the company's assets, by creating an ISMS. To ensure information security, ISO 27001 addresses systematic processes, technologies and human resources, as needed, through risk assessment and assistance in the information management process [3].
Cyber security is ensured on the basis of the ISO 27001 standard, in accordance with the following three principles: -The first is the principle of confidentiality of information, which confirms that only authorized persons have access to information. -The second is the principle of information integrity, it determines the accuracy with which the data is processed. -The third is the principle of availability of information, which ensures that authorized persons access the data on request [4]. ISO 27001 guarantees that information in all its forms is secure, and ISMS protects all forms that information can take: transport, processing or storage. Regardless of where they are stored: physically or in the cloud, taking into account security risks [5].
The Plan-Do-Check-Act chain is used by the ISO 27001 standard, for the implementation of ISMS and is based on the idea of a continuous process of implementing information security [6]. Certification, according to the ISO 27001 standard, is possible after performing the actions described in Figure 1, which is a closed cycle of actions, designed to support the information security management process.
Also, through the implementation of ISMS, it will increase the resistance to attack, as a result of continuous changes, depending on objectives, controls and security clauses.
According to the annual survey conducted by the International Organization for Standardization ISO [7], the number of valid certificates of ISO management standards (including ISO 27001) are reported for each country, each year. In 2019, the number of organizations certified with ISO 27001, at international level, was 36,362, while in 2018 there were 31,910 organizations. Thus, the number of certified organizations showed an annual increase of over 12%. The result of the survey showed that developed countries have widely implemented certification with the ISO 27001 standard, so that in Germany there are 1332 certified organizations, Japan -6015 organizations, in China -9508, in Romania the number of certified organizations is 668 organizations. While in the Republic of Moldova only 4 organizations are ISO 27001 certified [7].

Journal of Social Sciences
March, 2021, Vol. 4

ISO 27001 controls
As information security is not only strictly related to the IT field, the ISO 27001 standard also contains provisions for human resources management, legal framework, organizational management and physical security, for a complex approach to information security. Thus, the security controls contained in Annex A to the standard are organized into 14 sections, 35 objectives and 114 security controls, reflected in Table 1. Each section focuses on a specific aspect of information security [8]. In order for an institution to be certified with ISO 27001, it is necessary for it to meet the basic regulatory requirements, mentioned from clause 4 to 10, which are otherwise key clauses [9]. The elements of the main clauses are reflected in Table 2. The standard requires organizations to review the measures implemented with the controls in Annex A and, if they are lacking, to implement or document them as inapplicable [8].

MCSR
MCSR adopted by the Government of MD and apply to the State Chancellery, ministries, other central administrative authorities subordinated to the Government, including organizational structures within their sphere of competence (subordinate administrative authorities, decentralized and subordinated public services, public institutions in which the State Chancellery, Ministry or another central administrative authority as founder), of the autonomous administrative authorities and of the units with financial autonomy [3], for the following: -Devices and software -IT systems and resources existing in the institution, as well as those that are being developed, tested and implemented.
MCSR have been classified as follows: level 1: basic cyber security (use of ICT in the activity of the institution); -level 2: advanced cyber security (use of ICT in the institution's activity and provision of ICT-based services).
The research will be performed for level 1, MCSRs. MCSR level 1, have been classified into 4 security domains: 1. Access Control 2. Physical security 3. Operational security 4. Secure exchange of data and communications

Research method
Consequently, it was examined compliance of the MCSR level 1 and the reference controls contained in the international standard ISO 27001.
The research was conducted using the gap analysis method, between GD 201/2017 and the international standard ISO 27001. The gap analysis is a tool or technique that allows an organization to compare the actual performance (or proposed, as in this case) with the standard international, taken as a reference example [10]. Thus, the gap analysis evaluates the response to "where are we?" in relation to "where we want to be" [10].
Based on the content of the MCSR level 1, in Table 3, the alignment to the controls from the ISO 27001 standard was performed, only the security domains were taken into account, which coincide in both documents. In order to identify security areas and controls related to ISO 27001, Annex A of this standard has been analyzed.  Each user account is associated with a specific person. If the system does not allow the use of these accounts by other persons, then the system must include special technical means that do not allow the use of these accounts by third parties; 4 If the system is not used for multifactor authentication, system users must use a password; 5 The system user must use a password that is a combination of numbers (0-9), Latin characters (lowercase and uppercase) and special symbols (! #%), Consisting of the minimum number of characters, established by the internal security regulations, but not less than 7 characters; 6 Electronic storage and encryption of system users' passwords, including the user authentication process, is prohibited. It is allowed to transport them through an unencrypted public network only in the case of using a single-use password, with a validity of 48 hours from the moment of their transmission; 7 The system must have password management mechanisms, as well as ensure user authentication and identification for a limited period of time; 8 The use of default passwords in equipment and software products is not permitted 9 Data on activities in the system (logging) are stored in real time and kept for the period established by the internal security regulation, but not less than 6 months; 10 Any activity in the system must be identifiable in a specific user account or IP address; 11 User rights management must ensure that each user can only use his or her rights. The verification of the activities in the system is performed periodically, at time stages established according to the internal security regulations, but not less than once every 6 months; 12 Access control management must be set to allow authorized access from the external network via the Internet with only a single-use password, including the electronic signature of the government electronic service of authentication and access control (MPass).
Assessing compliance, can make the following recommendations related (missing or incomplete in paragraph 15): -User registration is a good practice related to the security of human resources, which provides for the establishment in the shortest possible terms of the registration / deletion of users from the system, according to control A9.2.1. Registration and deregistration of users.
-The access rights of all external employees and users who have access to information processing, must be eliminated / restricted at the time of dismissal / change of job. Control A.9.2.6. Removing or adjusting access rights.
-The conditions for complying with the policies and keeping the secrets related to authentication must be stipulated from the moment of employment, implementation of control A9.3.1. Use of secret authentication information.
-Access to systems and applications must be controlled by a secure connection procedure to prove the identity of the user provided by A.9.4.2. Secure connection procedures, because the MCSR lacks clarification in case of successful / unsuccessful connection / disconnection and setting alerts for failed attempts and possible blockages. Depending on the nature of the system, access should be limited to certain times of the day or time periods and possibly be restricted depending on the location.
-Utilities must be monitored, as they can overwrite system rights, be easily found and downloaded, so it is very important to restrict the installation of software by users, according to control A.9.4.4. Use of privileged utilities.
-Access to the source code of programs used within the organization must be restricted to eliminate the risk of unauthorized modification. Control 9.4.5. Access to the source code of the program. Table 5 shows the security controls of the ISO 27001 standard, which were partially or totally reflected in the MCSR, point 16, physical security. record of equipment and program products, use within the institution.
In point 16 of GD 201/2017, does not reflect how the physical protection against internal and external threats should take place, according to control A.11.1.1. But it is important to describe and stipulate how the company's assets will be physically protected against accidents, unauthorized actions and natural disasters.
Another aspect of physical protection is the security of cables, which must be adequately protected to limit access by unauthorized persons and thus minimize the risk of interception, interference or damage, as controlled by A.11.2.3. Wiring safety.
A very important role not covered by the MCSR (Level 1) is how the disposal of assets will take place, according to control A.11.2.5 Disposal of assets. It refers primarily to classified, valuable assets for which there must be processes to request and authorize their disposal or return. Limit the time in which assets can be removed depending on risks.
Security controls should also be applied to off-site assets (A.11.2.6), taking into account the different risks involved in remote work. This is a common area of vulnerability.
A final recommendation to ensure adequate physical security is to protect unattended equipment. Especially in workplaces, where exist a large flow of visitors, the frequent change of staff holding different roles, or when the equipment stays on overnight in spaces where other people have access. Table 6 shows the security controls of the ISO 27001 standard, which were partially or totally reflected in the MCSR, point 17, operational safety. The following must be: a) an operating system with the current updates applied; b) antivirus program; c) firewall activated; d) installation of automatic locking features; 3 The technical control is performed periodically, according to the internal security regulation 4 Application of cyber security requirements for the use of networks. 5 Elaboration of the continuity plan 6 Establishing the mechanism for decommissioning the equipment, destroying the data containing it and reusing it; 7 Establishing security requirements and restrictions for personal equipment used within the institution.
Implementing change management control, A.12.1.2, is essential in most environments to ensure that changes are appropriate, effective, authorized and carried out in a manner that minimizes the likelihood of unauthorized or accidental action.
It is necessary to take into account capacity management, control A.12.1.3. Identify future requirements that will meet the objectives of the organization and for which it is necessary to ensure the performance of the system. Such as the ability to: data storage, processing, communications. It is also necessary for capacity management to be proactive (capacity considerations as part of change management) and reactive (alert triggers, for the moment when capacity utilization reaches a critical level).
Another critical aspect is the implementation of control A.12.4.4, clock synchronization. The clocks of all relevant systems involved in processing information within an organization or security domain, to sync with a single reference time source for possible investigation.
Restriction of software installation, control A.12.6.2, especially on local devices. The installation of software by users raises a number of threats and vulnerabilities, including the threat of malware and the potential violation of software licensing laws. Ideally, users could not install any software on the organizational equipment, however, there may be commercial or practical reasons why this is not possible. Table 7 shows the security controls of the ISO 27001 standard, which were partially or totally reflected in the MCSR, point 18, the secure exchange of data and communications. Limiting staff access to irrelevant content.
For this security domain, MCSR is different from the international security standard ISO 27001. Although this domain has a great impact on the security of information in communications networks. Even those controls, which were mentioned in Table 7, are partially specified in the MCSR.
It is not specified how the network controls for information protection take place, referring to the indications in A.13.1.1 Network controls. Depending on business requirements, risk assessment, classifications and segregation requirements, it is necessary to design and implement balanced network controls. Examples of technical controls are: access control lists, intrusion detection and prevention systems, network-level firewalls, physical, logical or virtual segregation.
To secure network services A.13.1.2, as a first step it is necessary to assess the risks. Subsequently, it is determined whether the relationship between business and security requirements was taken into account when designing the network. It is also advisable to include security measures in agreements for the provision of network services.
It has not been stipulated exactly how the organization's network is segregated (A.13.1.3). Information service groups, users and information systems should be separated into virtual networks (VLANs). The design and control of the network must support information classification policies and network segmentation requirements.
At the same time, it is important to create agreements for the transfer of information (A.13.2.2) within the organization, but also with third parties. Often, communication and transfer procedures are implemented without a real understanding of the risks, which therefore creates vulnerabilities and data compromise.
It is necessary to take into account confidentiality and non-disclosure agreements (A.13.2.4). Good control describes how the requirements for confidentiality or non-disclosure agreements should be identified, reviewed periodically and documented, reflecting the organization's information protection needs. Agreements are usually organization-specific and should be developed taking into account the value of the assets, through risk analysis. These include: -General non-disclosure agreements.
-Agreements with customers using standard terms and conditions.
-Association/provider/partner agreements used for small and independent service providers that the organization uses to provide services. -Conditions related to employment.

Conclusion
Cyber security has become a priority for institutions in the Republic of Moldova, through the development of information technologies and their application more and more in daily activities. Moreover, the Republic of Moldova ranks among the top 10 European countries, with the most dynamic developments of the information society.
The results of the annual ISO survey, for 2019, showed that globally, the number of organizations certified with ISO 27001, increased by more than 12%, compared to 2018. Countries with developed economies have aligned with the ISO 27001 standard, on while in Moldova the number of certified companies is very low and this is necessary to increase the number of certified organizations, for two important reasons: -Information security at the state level to protect services and assets; -Increasing the trust of foreign partners that the organizations in the Republic of Moldova have complied with international standards.
In the conditions of the pandemic with Covid 19, the need to use ICT tools in business has increased even more, using new technologies to ensure the continuity of processes and the functioning of state and private enterprises.
According to the National Information Security Strategy, for the years 2019-2024, there is a tendency to align with international standards. Creating an information security management system (ISMS), depending on the value of the organization's assets, is an important step. ISMS guarantee by approaching information security as a whole, that implemented controls will increase the resistance of organizations to information attacks.
If certification to ISO 27001 is not possible because it is a very costly process, it should be aligned with the mandatory requirements of cybersecurity for organizations at the state level, taking into account the objectives and security controls of ISO 27001. This would ensure a high level of security for organizations, which is in line with international trends and is not outdated.
Thus, gap analysis, between mandatory cyber security requirements (MCSR) reflected in GD 201/2017 and controls ISO 27001 may be proposed following recommendations: -To analyze security risks, at the organizational level, to classify assets and information, for more effective security. -Creation for the level 1 organizations (uses ICT in its activity) an ISMS, which will allow the implementation of complex mechanisms, distributed on security domains, according to the prescribed objectives. -The approach to information security within the organization is a complex process, constantly changing, for which the internal or external audit of the information system is a key process, with the identification of the path to follow for assure information security. -MCSR compliance, level 1 with the ISO 27001 standard controls, to ensure that information is secure, regardless of its status: processing, transport or storage (physical or in the cloud). The method used in this paper, such as the method of analyzing the gap between MCSR level 1 and ISO 27001 controls, allows us to determine "where are we?" in relation to "where we need to be", in order to adjust the process of ensuring information security, in public organizations in the Republic of Moldova, to the modern trends described by international standards.