Chapter 28 Further Reading: Mainframe Security for COBOL Developers

Tier 1: Verified IBM Documentation

These are primary sources available directly from IBM's documentation library. All URLs point to IBM's official documentation sites.

RACF

z/OS Security Server RACF Security Administrator's Guide IBM Publication SA23-2289. The definitive reference for RACF administration — user/group management, dataset profiles, general resource classes, and security policy configuration. Chapter 3 (Defining Groups and Users) and Chapter 7 (Protecting General Resources) are directly relevant to this chapter. Available at: IBM Documentation — z/OS library (https://www.ibm.com/docs/en/zos)

z/OS Security Server RACF Command Language Reference IBM Publication SA23-2292. Complete syntax and examples for all RACF commands — ADDSD, PERMIT, RDEFINE, SETROPTS, and more. Use this as the reference when implementing the RACF commands shown in this chapter. Available at: IBM Documentation — z/OS library

z/OS Security Server RACF Auditor's Guide IBM Publication SA23-2290. Written specifically for auditors, this guide explains how to use RACF reports (DSMON, IRRDBU00) to verify security controls. Essential reading for anyone preparing for a PCI-DSS or HIPAA audit on z/OS. Available at: IBM Documentation — z/OS library

z/OS Security Server RACF Macros and Interfaces IBM Publication SA23-2288. Technical reference for the SAF router, RACF callable services, and RACF exits. Relevant for understanding how SAF routes security decisions and how RACF processes profile checks. Available at: IBM Documentation — z/OS library

Encryption and Cryptography

z/OS Cryptographic Services ICSF Administrator's Guide IBM Publication SA23-2231. Covers ICSF configuration, key management (CKDS, PKDS, TKDS), callable services, and CPACF integration. Chapter 2 (Key Management) and Chapter 5 (Callable Services) are essential for implementing the encryption patterns in this chapter. Available at: IBM Documentation — z/OS library

z/OS Cryptographic Services ICSF Application Programmer's Guide IBM Publication SA23-2232. Programming reference for ICSF callable services, including the CSNBENC (encrypt) and CSNBDEC (decrypt) APIs that can be called from COBOL. Includes copybook definitions and calling conventions. Available at: IBM Documentation — z/OS library

z/OS DFSMS Managing Data Sets — Chapter on Data Set Encryption IBM Publication SC23-6855. Covers z/OS data set encryption configuration — SMS data class encryption attributes, key label assignment, and operational procedures for managing encrypted datasets. Available at: IBM Documentation — z/OS library

z/OS Communications Server: IP Configuration Guide — AT-TLS Chapter IBM Publication SC27-3651. Covers AT-TLS policy configuration, cipher suite selection, certificate management, and troubleshooting. The configuration examples in Section 28.3.4 of this chapter are based on patterns from this guide. Available at: IBM Documentation — z/OS library

DB2 Security

Db2 13 for z/OS: Managing Security IBM Publication SC28-4191. Covers DB2's security architecture, including RACF integration, GRANT/REVOKE authorization, column-level access control, row-level security, trusted contexts, and audit policies. Chapters on column access control and DB2 audit are particularly relevant. Available at: IBM Documentation — Db2 for z/OS library

Db2 13 for z/OS: Administration Guide — Data Encryption Chapter IBM Publication SC28-4187. Covers DB2 column-level encryption (ENCRYPT_AES, DECRYPT_AES functions), tablespace encryption, and integration with ICSF key management. Available at: IBM Documentation — Db2 for z/OS library

CICS Security

CICS Transaction Server for z/OS: CICS Security IBM Publication SC34-7384 (version varies). The complete reference for CICS security — transaction security, resource security, command security, surrogate user support, and RACF integration. Complements Chapter 16 of this book. Available at: IBM Documentation — CICS TS library

MQ Security

IBM MQ for z/OS: Security IBM Publication SC34-6935. Covers MQ security architecture — RACF resource classes (MQQUEUE, MQPROC, MQNLIST), RESLEVEL, channel authentication records, and SSL/TLS configuration for MQ channels. Available at: IBM Documentation — IBM MQ library

Tier 2: Compliance Standards and Frameworks

PCI-DSS

PCI DSS v4.0 Standard Published by the PCI Security Standards Council. The complete standard, including all 12 requirements, testing procedures, and guidance. Available as a free download after registration. Available at: https://www.pcisecuritystandards.org/document_library/

PCI DSS Supplement: Mainframe Security Published by the PCI Security Standards Council's Special Interest Group on Mainframe Security. Provides mainframe-specific guidance for implementing PCI-DSS controls on z/OS, including RACF, encryption, and audit logging recommendations. This is the most directly relevant compliance document for mainframe PCI-DSS. Available at: PCI SSC document library (may require membership)

Information Supplement: Penetration Testing Guidance Published by the PCI Security Standards Council. Relevant to CNB's Finding 3 (no mainframe penetration testing). Covers penetration testing scope, methodology, and reporting requirements for PCI-DSS Requirement 11. Available at: PCI SSC document library

HIPAA

HIPAA Security Rule (45 CFR Part 164, Subpart C) The actual regulation text. Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Documentation Requirements) are referenced in Section 28.6 of this chapter. Available at: https://www.hhs.gov/hipaa/for-professionals/security/index.html

NIST SP 800-66 Revision 2: Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule NIST's implementation guide for the HIPAA Security Rule. Maps each HIPAA requirement to specific technical controls and provides assessment procedures. More prescriptive than the HIPAA rule itself. Available at: https://csrc.nist.gov/publications/detail/sp/800-66/rev-2/final

HHS Guidance on HIPAA Encryption Safe Harbor U.S. Department of Health and Human Services guidance on what constitutes "unsecured" ePHI for breach notification purposes, including the encryption standards that qualify for Safe Harbor protection. Available at: https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html

Federal Security Standards

NIST SP 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations The comprehensive catalog of security controls used by federal agencies under FISMA. The AC (Access Control), AU (Audit and Accountability), SC (System and Communications Protection), and IA (Identification and Authentication) control families are most relevant to this chapter. Available at: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

NIST Cybersecurity Framework (CSF) 2.0 A voluntary framework for managing cybersecurity risk. Its five functions (Identify, Protect, Detect, Respond, Recover) map cleanly to the z/OS security architecture described in this chapter. Available at: https://www.nist.gov/cyberframework

Tier 3: Attributed Community and Industry Sources

Books

Mainframe Security: Protecting Your Environment — IBM Redbook SG24-6803 Covers z/OS security architecture, RACF configuration, and compliance from a practitioner perspective. The chapters on RACF health checks and security configuration best practices complement this chapter's content. Available at: IBM Redbooks (https://www.redbooks.ibm.com/)

Security on z/OS — IBM Redbook SG24-7023 A comprehensive security reference covering RACF, ICSF, AT-TLS, and z/OS communications security. Particularly relevant: the chapters on cryptographic services and network security. Available at: IBM Redbooks

z/OS PKI Services: A Practical Guide — IBM Redbook SG24-7603 Covers certificate management on z/OS, including RACF keyrings, digital certificate configuration, and integration with AT-TLS. Essential if you are implementing mutual TLS authentication as described in the Pinnacle case study. Available at: IBM Redbooks

Technical Articles and Conference Presentations

SHARE Conference Proceedings — https://www.share.org Search for presentations on RACF best practices, z/OS encryption, and mainframe compliance. Presenters to look for: Mark Nelson (IBM, RACF), Rich Guski (IBM, z/OS security), and Jeff Snyder (IBM, ICSF).

IBM Z Security Community — https://community.ibm.com/community/user/ibmz-and-linuxone/communities/community-home?communitykey=5e427e50-2f98-4cb4-abe7-ece6fdd1c0e4 IBM's community for z/OS security practitioners. Discussion forums, blog posts, and technical articles on RACF, ICSF, AT-TLS, and compliance topics.

Mainframe Security Blog by Vanguard Integrity Professionals — https://www.go2vanguard.com/blog Technical articles on mainframe security, including RACF configuration, compliance, and security monitoring. Written by experienced practitioners.

Suggested Reading Order

For readers building a mainframe security architecture for the first time:

  1. z/OS Security Server RACF Security Administrator's Guide — Chapters 1-3, 7 (RACF fundamentals)
  2. CICS Security (IBM publication) — Chapters on transaction and resource security (connects to Chapter 16)
  3. Db2 13 for z/OS: Managing Security — Chapters on authorization and column access control
  4. z/OS ICSF Administrator's Guide — Chapters 1-2 (cryptographic architecture and key management)
  5. z/OS Communications Server: AT-TLS — Configuration chapter
  6. PCI DSS v4.0 Standard — All 12 requirements (even if your environment isn't PCI-scoped — the requirements represent security best practices)
  7. NIST SP 800-66 Rev 2 — HIPAA implementation guide (if healthcare-relevant)
  8. IBM Redbook SG24-6803 (Mainframe Security) — Practical implementation guidance

This sequence builds from infrastructure (RACF) through subsystem security (CICS, DB2) through encryption (ICSF, AT-TLS) to compliance (PCI, HIPAA). Budget approximately 40-50 hours for the complete reading list.