Chapter 31: Further Reading - COBOL and the z/OS Security Model

Books

"z/OS Security: An Introduction to RACF" by IBM Redbooks A comprehensive introduction to RACF for application developers and system programmers. This Redbook covers user and group administration, dataset and general resource security, RACF commands (ADDUSER, PERMIT, RDEFINE, SETROPTS), and the RACF database structure. The chapters on dataset and general resource profiles are particularly relevant for COBOL programmers who need to understand how their data and programs are protected.

"Mainframe Security: Practical Approaches to RACF, ACF2, and Top Secret" by Dinesh D. Dattani This book provides a balanced treatment of all three major mainframe security products -- RACF, CA ACF2, and CA Top Secret -- comparing their approaches to common security tasks. For COBOL developers who may work across different mainframe installations, understanding the commonalities and differences between these products is valuable.

"Enterprise Security Architecture Using IBM Tivoli Security Solutions" by IBM Redbooks This Redbook places mainframe security in the context of enterprise-wide security architecture, covering identity management, access governance, security information and event management (SIEM), and compliance monitoring. It is especially valuable for understanding how z/OS security integrates with distributed security infrastructure in modern hybrid environments.

Online Resources

IBM Developer: z/OS Security Learning Path IBM's developer portal offers a structured learning path on z/OS security topics, from RACF fundamentals through advanced topics like digital certificate management and encryption services. The modules include hands-on exercises using IBM's hosted z/OS environment, allowing developers to practice RACF commands and explore security configurations without risk to production systems.

Open Mainframe Project: Security Best Practices for Mainframe Applications The Open Mainframe Project publishes community-maintained security guidelines for mainframe application developers. These resources cover secure coding practices, vulnerability assessment methodologies, and the integration of mainframe security with enterprise DevSecOps pipelines. The focus on application-level security complements the infrastructure-level coverage in IBM documentation.

SHARE Security Project: Mainframe Security Presentations and White Papers The SHARE user group's security project publishes presentations, white papers, and recommendations covering emerging threats to mainframe security, RACF configuration hardening, compliance automation, and the evolving landscape of mainframe security testing. These resources reflect the collective expertise of the mainframe security community.

IBM Documentation

"z/OS Security Server RACF Security Administrator's Guide" (SA23-2289) The authoritative guide to RACF administration, covering all aspects of profile management, access control, security auditing, and RACF system settings. While aimed at security administrators, the chapters on dataset security, general resource classes, and program control are essential reading for COBOL developers who need to understand the security rules governing their applications.

"z/OS Security Server RACF Auditor's Guide" (SA23-2290) This guide explains how RACF supports audit requirements, including SMF record generation, RACF report generation, and the configuration of logging and alert mechanisms. COBOL developers working in regulated environments benefit from understanding what auditors look for and how RACF reporting works, as they may need to design their applications to support audit requirements.

"CICS RACF Security Guide" (SC34-7612) A specialized guide covering the integration between CICS and RACF, including CICS resource security classes, region-level security settings, surrogate user configuration, and security for CICS web services. This is the essential reference for COBOL developers writing CICS applications that must comply with enterprise security policies.

Standards and Specifications

"PCI-DSS Requirements and Security Assessment Procedures" (PCI Security Standards Council) The official PCI-DSS standard document defines the twelve requirements for protecting cardholder data. For mainframe COBOL applications that process payment card data, requirements related to encryption, access control, logging, and secure coding practices directly apply. Understanding these requirements helps developers design compliant applications from the start rather than retrofitting security controls.

"NIST Special Publication 800-53: Security and Privacy Controls for Information Systems" NIST SP 800-53 provides a comprehensive catalog of security controls that federal agencies and many private organizations use as a framework for security planning. The access control (AC), audit and accountability (AU), and system and information integrity (SI) control families are directly relevant to mainframe COBOL application security.

"COBIT Framework for IT Governance and Management" COBIT provides a governance framework that includes security management objectives relevant to mainframe application development. Its treatment of access management, change management, and operations security helps COBOL developers understand the broader organizational context in which their applications operate and the governance requirements they must satisfy.