Chapter 16 Further Reading

IBM Official Documentation

CICS Security

  • CICS TS Security Guide (SC34-7431) — The definitive reference for CICS security configuration. Covers SIT security parameters, ESM integration, resource-level security, and command security in exhaustive detail. Start with Part 2 ("Security overview") if you're new to CICS security.
  • CICS TS RACF Security Guide (SC34-7432) — Specific to RACF integration. Covers RACF class definitions, profile naming conventions, and CICS-specific RACF commands. Essential reference for anyone writing RACF profiles for CICS.
  • CICS TS System Definition Guide (SC34-7428) — Covers SIT parameters including all security-related parameters (SEC, XTRAN, XRES, XCMD, XUSER, XFCT, etc.). Use this when you need the precise syntax and valid values for each parameter.
  • CICS TS Resource Definition Guide (SC34-7430) — Covers CSD transaction definitions including RESSEC and CMDSEC attributes. Reference this when defining transaction-level security controls.

RACF

  • z/OS Security Server RACF Security Administrator's Guide (SA23-2289) — The complete RACF reference. Chapters on resource classes, profile administration, and RACLIST management are directly relevant to CICS security.
  • z/OS Security Server RACF Command Language Reference (SA23-2292) — Every RACF command with syntax, parameters, and examples. Keep this open when writing RDEFINE, PERMIT, RALTER, and SETROPTS commands.
  • z/OS Security Server RACF Auditor's Guide (SA23-2290) — Written for auditors reviewing RACF configurations. Useful for understanding what auditors look for and how to prepare for security assessments.

SMF and Audit

  • z/OS MVS System Management Facilities (SMF) (SA38-0667) — Covers all SMF record types. Chapters on SMF Type 80 (RACF events) and SMF Type 110 (CICS performance/exception) are essential for audit trail design.
  • CICS TS Performance Guide (SC34-7033) — Covers CICS monitoring and SMF 110 record content. Includes the complete layout of SMF 110 subtypes.
  • CICS TS Problem Determination Guide (SC34-7035) — Covers CICS journal management, which is the foundation for application-level audit trails.

SSL/TLS and Certificate Management

  • CICS TS Internet Guide (SC34-7434) — Covers CICS TCP/IP services, SSL/TLS configuration, TCPIPSERVICE definitions, and certificate management.
  • z/OS Cryptographic Services PKI Services Guide and Reference (SA23-2286) — Covers RACF certificate management, keyrings, and the RACDCERT command.

Compliance Frameworks

PCI-DSS

  • PCI DSS v4.0 (PCI Security Standards Council, 2022) — The current version of the Payment Card Industry Data Security Standard. Available free from pcisecuritystandards.org. Focus on Requirements 2, 3, 7, 8, 10, and 11 for CICS relevance.
  • PCI DSS Information Supplement: Mainframe Security (PCI SSC, 2018) — Specifically addresses PCI-DSS implementation on mainframe platforms including CICS. Covers cardholder data environment (CDE) scoping for mainframe systems.

HIPAA

  • HIPAA Security Rule (45 CFR Part 164, Subpart C) — The regulatory text. Focus on §164.312 (Technical Safeguards) for CICS-relevant requirements.
  • HHS HIPAA Security Rule Guidance — The Department of Health and Human Services provides guidance documents that interpret the Security Rule's technical safeguards. These are more practical than the regulatory text.
  • NIST SP 800-66 Rev2: Implementing the HIPAA Security Rule (2024) — NIST's guide to implementing HIPAA technical safeguards. Maps HIPAA requirements to specific technical controls.

SOX

  • COBIT 2019 Framework (ISACA) — While not specific to mainframes, COBIT provides the IT governance framework most commonly used for SOX compliance. Focus on the "Build, Acquire and Implement" and "Deliver, Service and Support" domains.
  • ISACA Journal: Mainframe Security and SOX Compliance — ISACA publishes periodic articles on mainframe-specific SOX compliance topics.

Books

  • IBM Redbook: CICS and SOA: Architecture and Integration Choices (SG24-7889) — Covers security architecture for modern CICS including web services, CTG, and API integration patterns. The security chapters are particularly relevant to surrogate user processing.
  • IBM Redbook: Secure Coding for CICS/TS Web Services (SG24-8353) — Covers secure development practices for CICS web services including authentication, authorization, SSL/TLS, and secure coding patterns.
  • IBM Redbook: z/OS and RACF Cookbook (SG24-5354) — Practical RACF configuration recipes organized by use case. Includes CICS-specific recipes.
  • Mainframe Security: Concepts and Techniques by Dinesh Verma — A practitioner-oriented guide to mainframe security including RACF, CICS security, and compliance frameworks. Written for working systems programmers.
  • CICS: A Practical Guide to System Fine Tuning by Thom Smith and Frank Kyne — While primarily a performance book, the security tuning chapters cover the performance impact of security configuration and optimization strategies.

Technical Articles and Papers

  • IBM Developer: Securing CICS Transaction Gateway Connections — IBM Developer article covering CTG security configuration, including surrogate user processing, SSL/TLS setup, and audit trail design for CTG-connected applications.
  • IBM Z Security and Compliance Center documentation — IBM's tool for automated compliance verification on z/OS systems. Relevant for automating PCI-DSS and HIPAA compliance checking against CICS security configurations.
  • SHARE Presentations on CICS Security — The SHARE user group archive contains numerous presentations from mainframe security practitioners. Search for "CICS security" and "RACF CICS" in the SHARE presentation archive.

Tools and Utilities

  • IBM CICS Security Verification Tool — Automates the verification of CICS security configurations against best practices. Available as a SupportPac.
  • IBM zSecure Admin (formerly Consul zAdmin) — RACF administration tool that simplifies RACF profile management, auditing, and compliance reporting for CICS and other z/OS subsystems.
  • IBM CICS Performance Analyzer — Analyzes SMF 110 records and can identify security-relevant patterns in transaction performance data.
  • IBM z/OS SMF Data Extractor — Extracts and formats SMF records including Type 80 (RACF) and Type 110 (CICS) for analysis in external tools like Splunk or QRadar.

Community and Ongoing Learning

  • SHARE Association (share.org) — The premier mainframe user group. Attend the security and CICS tracks at SHARE conferences for current best practices.
  • IBM Z and LinuxONE Community — IBM's online community for mainframe practitioners. The security forums frequently discuss CICS security topics.
  • Planet Mainframe (planetmainframe.com) — Online publication covering mainframe technology including security topics.
  • Mainframe DEF CON presentations — Yes, mainframe security is presented at DEF CON. Search for "mainframe" in the DEF CON media archive for talks on CICS and RACF security vulnerabilities and penetration testing techniques.

Standards and Frameworks

  • NIST SP 800-53 Rev5: Security and Privacy Controls — The comprehensive catalog of security controls. Map CICS security features to NIST controls for a framework-agnostic security architecture.
  • CIS Benchmarks for z/OS — The Center for Internet Security publishes hardening benchmarks for z/OS that include RACF and CICS security configuration baselines.
  • DISA STIG for z/OS — The Defense Information Systems Agency publishes Security Technical Implementation Guides for z/OS. The RACF and CICS STIGs provide specific configuration requirements used by U.S. Department of Defense systems.

Note: IBM documentation references use document numbers that are stable across editions. When accessing IBM documentation online through the IBM Documentation portal (ibm.com/docs), search by document number for the most current version of each publication.