z/OS IBM CICS Transaction Server for RACF Security Technical Implementation Guide

Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

z/OS IBM CICS Transaction Server for RACF Security Technical Implementation Guide

Overview

Version	Date	Finding Count (9)			Downloads
6	2023-03-21 2015-01-15 2015-01-15 2015-01-15 2015-01-15 2015-01-15 2015-01-15 2015-01-15 2015-01-15 2015-01-15 2018-01-05 2018-01-05 2018-01-05 2018-01-05 2018-01-05 2018-01-05 2018-01-05 2021-12-14 2021-12-14 2021-12-14 2022-10-07	CAT I (High): 0	CAT II (Med): 9	CAT III (Low): 0	Excel	JSON	XML

STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Classified	Public	Sensitive
I - Mission Critical Classified	I - Mission Critical Public	I - Mission Critical Sensitive	II - Mission Support Classified	II - Mission Support Public	II - Mission Support Sensitive	III - Administrative Classified	III - Administrative Public	III - Administrative Sensitive

Findings (MAC III - Administrative Sensitive)

Finding ID	Severity	Title	Description
V-224500	Medium	CICS regions are improperly protected to prevent unauthorized propagation of the region userid.	CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS userids (i.e., region, default,...
V-224494	Medium	CICS System Initialization Table (SIT) parameter values must be specified in accordance with proper security requirements.	The CICS SIT is used to define system operation and configuration parameters of a CICS system. Several of these parameters control the security within a CICS region. Failure to code the...
V-224495	Medium	CICS region logonid(s) must be defined and/or controlled in accordance with the security requirements.	CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS region userids may provide an...
V-224496	Medium	CICS default logonid(s) must be defined and/or controlled in accordance with the security requirements.	CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. An improperly defined or controlled CICS default userid may provide an...
V-224497	Medium	CICS logonid(s) must have time-out limit set to 15 minutes.	CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Improperly defined or controlled CICS region userids may provide an...
V-224492	Medium	CICS system data sets are not properly protected.	CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to CICS system data sets (i.e., product, security,...
V-224493	Medium	Sensitive CICS transactions are not protected in accordance with security requirements.	Sensitive CICS transactions offer the ability to circumvent transaction level controls for accessing resources under CICS. These transactions must be protected so that only authorized users can...
V-224498	Medium	IBM CICS Transaction Server SPI command resources must be properly defined and protected.	IBM CICS Transaction Server can run with sensitive system privileges, and potentially can circumvent system controls. Failure to properly control access to product resources could result in the...
V-224499	Medium	External RACF Classes are not active for CICS transaction checking.	Implement CICS transaction security by utilizing two distinct and unique RACF resource classes (i.e., member and grouping) within each CICS region. If several CICS regions are grouped in an MRO...