Technical Services
Technical Service OS390 Administrative Computing
       Illinois State Universtiy
             TS Home: MVS Form Instructions: Mainframe Security Information:


Table of Contents

WHAT IS CICS?

WHAT IS TSO?

WHAT IS RACF?

INTRODUCTION TO THE CICS/TSO AUTOMATION PROCESS

STANDARDS FOR CICS AND TSO

DATA CUSTODIAN'S GUIDELINES
INTRODUCTION
DATA CUSTODIAN'S RESPONSIBILITIES
PROCEDURES
CONSIDERATIONS

INFORMATION SYSTEMS ACCESS ADMINISTRATOR
SYSTEMS PROGRAMMER
   Systems Programmer's Responsibilities
   Systems Programmer's Yearly Responsibilities

GLOSSARY



What is CICS?

CICS stands for Customer Information Control System. CICS is an IBM product. CICS is used as a transaction processor for mainframe computers and other platforms; including the AS/400, OS/2 and the RS/6000.

CICS is a general-purpose data communication software system that provides:

  • Control of concurrently running applications serving many on-line users.
  • The functions required by application programs for communicating with remote and local terminals and subsystems.
  • Control of files and databases, with the various IBM data access methods and database products that are available.
  • The ability to communicate with other CICS systems and database systems, either in the same computer or in connected systems.

At Illinois State University CICS is used to process information between a user and a large computer, the mainframe. The user types in a pre-determined four character id, like GPAD and retrieves information on the terminal screen.

CICS is widely used across the Illinois State campus. Most of the administrative processing for the University is performed using CICS. Some examples of information that can be obtained from CICS are all Financial Aid Information, all Student Information; this includes student class registration and student bills, all Payroll Information, all Alumni Information, all Parking Information, etc.

An academic advisor can look up all information about a student to help in the decision making process when the student is registering for classes. The advisor can review classes that the student has taken, the grades the students obtained and the classes the student has left to take. This information is vital for the academic advisors to perform their job responsibilities.

The academic advisors are not the only people using the CICS system. Approximately 2,500 people use CICS each day. The ACS Department offers a course (ACS 376) that trains people in CICS programming.

CICS is an important asset for Illinois State. The long range plans for the University include CICS. With all of the processing done through CICS transactions for the University, the CICS software will have to continue to operate for ten plus years. The CICS software is vital for the University community to function properly. ILLINOIS STATE is even extending the CICS family. There are also plans to develop applications with CICS for OS/2 and CICS for the RS/6000 at Illinois State.


What is TSO?

TSO stands for Time-Sharing Option. Time-Sharing means users are allowed to share the time and resources of a major operating system. TSO runs under the MVS (Multiple Virtual Storage) operating system. MVS handles TSO users as a batch job. When the TSO user logs onto the system, JCL (Job Control Language) is initiated to process the necessary resources. The JCL includes all DD (Data Definition) statements that are necessary to allocate data sets needed by the user.

TSO uses ISPF, Interactive System Productivity Facility, to help the user navigate through the TSO system. ISPF is a menu driven interface that provides most of the TSO functionality. If ISPF is not available, every option available through TSO can be accessed by a TSO command. At Illinois State ISPF is the user interface under TSO.

ISPF/PDF (Program Development Facility) is also available at Illinois State. This part of ISPF is used by programmers at the University. There are numerous facilities that are of use to the programmer. These include:

  • A powerful text editor
  • A set of utilities to create and manage data sets and libraries
  • The ability to invoke language translators to compile and link-edit the application programs


What is RACF?

RACF stands for Resource Access Control Facility. RACF is a software security product that protects information by controlling access to it. RACF also controls what the user can do and protects all of the operating system's resources. RACF provides this security by identifying and verifying users, authorizing users to access protected resources and recording and reporting access attempts.

RACF helps meet the needs for security by providing the ability to:

  • Identify and verify users
  • Authorize users to access the protected resources
  • Control the means of access to resources
  • Log and report various attempts of unauthorized access to protected resources
  • Administer security to meet the goals of security for Illinois State

RACF provides all of the above functions, but Illinois State must define the users and the resources for RACF to protect.

One specific RACF user, called the RACF administrator, has the ability to define users and resources to RACF. As well as defining what resources to protect, the RACF administrator can define and grant the authorities by which users access the protected resources. Therefore the RACF administrator sets down the guidelines that RACF uses to decide the user-resource interaction within Illinois State. The RACF administrator for RACF at Illinois State is called the Information Systems Access Administrator.


Introduction to the CICS/TSO Automation Process

The CICS signon and transaction application process and the TSO signon and data set application process has been automated based on the individual's job class, department and position held at the University. A CICS signon and the appropriate transactions and/or a TSO signon and the appropriate data set access will be acquired automatically for the ILLINOIS STATE employee when the employee obtains an existing position with an authorized signon. Each position is assigned a set of transactions and/or data set access that is necessary to perform job responsibilities for that position. Not every university employee receives CICS and TSO access. Although many Civil Service employees have CICS access though and university employees that have access to TSO are usually programmers or employees and/or students associated with the Applied Computer Science department. TSO is becoming more popular with the growth of DB2 query access.

Note: Terms within quotations are actual fields described in the ISI database data dictionary.

All information about the Illinois State employee will come from the ISI database. The ISI database is maintained by the Provost's Office and the Human Resource Office. The ISI database contains all employment history about every past, current and future employee for the University.

Upper level CICS and/or TSO security access is determined by "Appointment Begin Date" and "Appointment End Date" within a specific "Job Classification" and "Appointment Department." Depending on the Data Custodian decision, CICS and/or TSO security access can be taken one step further by looking at the "Position Number", "Account Start Date" and "Account Stop Date" values. Whether the CICS and/or TSO access decision is decided by "Job Class" and "Department Name" or by "Job Class", "Department Name" and "Position Number", the "Leave of Absence Reason" is evaluated. "Leave of Absence Reason" codes of 02, 21 and 22 cause the CICS and/or TSO security access to be deleted, the other codes remain active. The other codes are considered active layoff. The Access Database, controlled by the Information Systems Access Administrator, stores whether the CICS and/or TSO security access is controlled by job class and department or job class, department and position number.

For Academic personnel with "Appointment Type" Q (non-tenure track), L (Faculty Associate, Non-continuing), J (Adjunct) and G (Graduate Assistant) and "Appointment End Date" passed, these personnel may request the Information Access Administrator to temporarily activate the CICS and/or TSO security access through September 1st or February 1st, which ever occurs first. If the above positions are not active in the ISI personnel database by September 1st or February 1st the CICS and/or TSO security access will be deleted.

Special Exception cases override the automation process. Special exception cases, other than as stated above, are requested through the Office of the Provost for Academic Users, Human Resource Office for Staff Users or the Supervisor of the User with Data Custodian approval. Special Exceptions, for an inactive employee (not currently employed by the University), are controlled through the Access Database specifying a date range for the desired CICS security access. Special Exceptions are made when requested by the Supervisor of the user with the Data Custodian approval at the individual transaction level.

If Position Number starts with any of the values below, they are considered ranges of position numbers not eligible for the automation process. These employees along with their supervisor, must fill out two forms for CICS signon and access: Signon Update Request and the Signon Update Request for Transactions. These employees along with their supervisor , must fill out two forms to obtain their TSO signon and data set access: TSO Userid Request and the RACF Update Request. The signons are deleted automatically when the employee leaves the University.

This the list of not eligible position numbers for Illinois State employees:

  • 25xxx - Visiting Artists/Lecturers
  • 30xxx - Overtime
  • 31xxx - Extra Help
  • 32xxx - Extra Help
  • 35xxx - Daily Rate Substitutions
  • 40xxx - Student Help - Regular
  • 41xxx - Student Help - Work Study
  • 55xxx - Contractual Faculty
  • 60xxx - Central Accounts
  • 61xxx - Temporarily Assigned Position
  • 65xxx - Faculty Development
  • 70xxx - Other Funded Summer Session

The not eligible position numbers listed above are monitored through the automation process for any changes to his/her position. The signon will also be deleted from CICS and/or TSO when the employee leaves the University. If the position numbers for these employees are separated into smaller groups, then the positions can be added to the automation process. The Financial Aid Office and the Human Resource Office will have to make the decision to uniquely qualify the positions for every employee that currently has a not eligible position number before the Information Systems Access Administrator can implement the above positions in the automation process.

A retiree is treated as a Special Exception, with the date range of activation being one year. The Department of Human Resource is responsible for notifying Staff retirees of the date range, and the Department of the Provost for the notification to all Academic retirees. A retiree has CICS and/or TSO security access for as long as the access is needed and must go through the process for special exceptions. The need is evaluated every year.

Guest Accounts are also Special Exceptions. Guest Accounts are sponsored by a Academic or Staff member associated with Illinois State. Access will be granted, on a case-by-case basis, with a written recommendation of the access purpose by faculty or staff member associated with Illinois State and must go through the process for special exceptions.


Standards for CICS and TSO

The users need to understand the importance of maintaining confidentiality while using CICS and/or TSO signons. A user needs to change his/her password when a CICS and/or TSO signon is given to them and occasionally while using the CICS and/or TSO signon. If the User does not follow the CODE OF RESPONSIBILITY FOR SECURITY AND CONFIDENTIALITY OF DATA, the User's CICS and/or TSO signon is revoked immediately. Each user has one signon for CICS and/or TSO and one password. The CICS and/or TSO signons are assigned individually and each user of CICS and/or TSO must have their own signon.

A user of the mainframe computer will be assigned a RACF user ID. A RACF user ID can be one to eight characters long. A TSO user ID and a user ID on a MVS JOB statement cannot be more than seven characters, so Illinois State has limited RACF user IDs to only seven characters. For university employees the RACF id will be their first initial, middle initial and the first five characters of their last name or as many characters of their last name, if the last name is less than five characters. For example an employee with the name John C. Smith will have a user ID of JCSMITH. For ACS students the RACF id will be: the first character is @, the next three characters will be the ACS class number, the next character is the section number and the last two characters will be an unique number for the student in the class. For example, a student in ACS 376, section 1 would have a user ID of @3761xx where 00 <= xx <= 99. Depending on the position the employee holds at the University, the RACF user ID will be able to access TSO, CICS or both TSO and CICS. ACS students have access to both CICS and TSO.

If a user is authorized for TSO, the RACF ID will need a TSO segment in the RACF user ID profile. The following attributes will need to be defined for a TSO user:

  • ACCTNUM - the user's default account number
  • JOBCLASS - default value for the user's job class
  • MSGCLASS - default value for the user's message class
  • HOLDCLASS - default value for the user's hold class
  • SYSOUTCLASS - default value for the user's SYSOUT class
  • DEST - the destination id for the user's SYSOUT data sets
  • PROC - user's default logon procedure
  • MAXSIZE - user's maximum region size
  • SIZE - user's default region size
  • SECLABEL - security label specified when the user previously logged on to TSO
  • UNIT - default device used for allocations
  • USERDATA - optional user data

If a user is authorized for CICS, the RACF ID will need a CICS segment in the RACF user ID profile. The following attributes will need to be defined for a CICS user:

  • OPCLASS - the classes assigned to this operator to which BMS (basic mapping support) messages will be routed
  • OPIDENT - an identification of the operator for use by BMS
  • OPPRTY - the priority of the operator
  • TIMEOUT - the time in minutes, currently 30 minutes, that the operator is allowed to be idle before being signed off
  • XRFSOFF - whether the operator will be signed off by CICS when an XRF takeover occurs XRF stands for eXtendend Recovery Facility. XRF is a CICS software function that minimizes the effect of various failures on the end users of the system.

Each RACF user ID will be placed in a default RACF group. If needed the RACF user ID can be placed in other RACF groups for additional security access. A RACF user ID is assigned to those groups that have the authority to access the necessary RACF resources to fulfill the employee's job requirements.

The RACF group of a user ID will obtain access to the generic or discrete data set profile. The RACF group or user ID can have NONE, READ, UPDATE, CONTROL or ALTER authority assigned to the data set profile. Most assignments are done at the group level, not at the user ID level. This way a user ID can be added to a group and obtain the necessary security access.

Access Authorities for DASD Data Sets

NONE
READ

UPDATE


CONTROL




ALTER
EXECUTE
Does not allow users to access the data set.
Allows users to access the data set for reading only. (Note: Users who can read the data set can copy or print it).
Allows users to read from, copy from or write to the data set. UPDATE does not authorize a user to delete, rename, move or scratch the data set. Allows users to perform normal VSAM I/O to VSAM data sets.
For VSAM data sets, is equivalent to the VSAM CONTROL password; that is, it allows users to perform improved control interval processing. This is control-interval access (access to individual VSAM data block) and the ability to retrieve, update or delete records in the specified data set. For non-VSAM data sets, CONTROL is equivalent to UPDATE.
Allows users to read, update, delete, rename, move or scratch the data set.
For a private load library, allows users to load and execute, but no read or copyprograms (load modules) in the library.

Note: All members of a partitioned data set (PDS) are protected by one profile. This is the profile that protects the data set.

The User might need additional security access besides the CICS and/or TSO security access assigned to the User originally. To receive these additional access authorities, the User or the User's supervisor contacts the Information Systems Access Administrator with the additional security access authorities and reasons why they are needed. The Information Systems Access Administrator requests approval from the Data Custodian. If approval is granted by the Data Custodian, then the security access is granted by the Information Systems Access Administrator. Otherwise, the Information Systems Access Administrator telephones the user and states why the Data Custodian is not allowing the security access.

A user must change their password every sixty days or when the user feels the password has been compromised. A password change prompt will be displayed once the password has expired for the user. The length of the password must be between five and eight characters.

The user can not use the same password for the password change process. Password history of five passwords is kept for each user.

A user has five attempts to logon to CICS or TSO correctly. If the user does not succeed, the user is aborted from the signon process. The incorrect logon attempt is logged to the master console and datasets.

CICS and TSO accounts that have been inactive for six months will become revoked. Once an account is revoked a user can display a picture id to reactivate the account. If the account is revoked for six more months, then the account is deleted completely.

When the user accesses either CICS or TSO for the first time the user is prompted with the below screen. The user is required to read the screen and answer either YES or NO. If the answer is YES, the user is allowed to obtain security access to either CICS or TSO. If the answer is NO, the user is denied all security access to CICS or TSO. Every six months the user will see the screen below and is required to answer the screen again.

ILLINOIS STATE UNIVERSITY INFORMATION SYSTEMS

Access to Information Resources and the Information Technology environment is a privilege and must be treated as such by all users of university computing and Network Resources. Access to university information and the sharing and security of that information requires that each user accept responsibility to protect the rights of the University and the University community.

  1. I will maintain data confidentiality.
  2. I will maintain the confidentiality of data security controls and passwords.
  3. I will report to management any suspected security violation.
  4. I will access and use only that information for which I am authorized.
All members of the University community who have access to data are responsible to understand and abide by the policies described in the Illinois State Information Resource Access and Security Policy and Guidelines of a Secure Computing Environment, both available on the Illinois State Gopher system or on the World Wide Web (WWW).

I have read, understand and agree to abide by the above guidelines.

Response:____________________

Please respond "yes" or "no"


Data Custodian's Guidelines

Introduction

Information Systems (IS) is responsible for ensuring the confidentiality, integrity, and availability of all administrative information that it processes and stores, whether on the University mainframe, on minis, on micro-computers or on LAN servers. The Illinois State University Information Resource Access and Security Policy, written by IS, was written to assist the University in accomplishing these objectives. The following Data Custodians guidelines govern information security for the University's data so that the designated Data Custodians will have the guidance to support the Policy. IS and the Data Custodians are subject to security audits by internal and external auditors for compliance with standard computing practices.

Data Custodians have a responsibility to the University to ensure they grant access to data to only those who require that access to perform their job responsibilities. The Data Custodian must be familiar with the data, and the methods for accessing that data for which they are responsible. He/she should know how this data is used with the business functions of the University. If, for any reason, the Data Custodian has a question of whether that position would require that access, they should feel free to interview the requester to verify that position does actually require that access. The more sensitive data, update capability accesses, etc., may always need the interview follow up.

Data Custodian's Responsibilities

Data Custodians are delegated by University management the responsibility for controlling university data within their areas. Their responsibilities include the following:

  1. Controlling data definitions to ensure data conform to consistent definitions over the life of the data.
  2. Approving requests for access to University data submitted by authorized University personnel.
  3. Authorizing all computer Project Work Orders.
  4. Reviewing accesses and transaction groups ensuring the accesses and groups are appropriate and valid.
  5. Monitoring the data to ensure data processing procedures are effective.

Information Systems Access Administrator's Responsibilities to the Data Custodian:

  1. Help the Data Custodian trouble shoot problems they are encountering.
  2. Make necessary access changes immediately, depending on severity.
  3. Provide audit listings, which include:
    1. All University positions that have access to the Data Custodian's data.
    2. CICS transaction groupings.
    3. Those who are sharing a sign-on.
  4. Coordinate access requests between the individual and the Data Custodian.

Procedures

The separation between the Information Systems Access Administrator and the Data Custodian strengthens security by not allowing one person to grant access permissions. The following is the procedure to follow to create or modify accesses.

  1. Make access requests for data to the Information Systems Access Administrator via telephone, letter, or e-mail containing information of which accesses and why they are necessary for a user to perform their job responsibilities.
  2. The Information Systems Access Administrator will forward a letter to the Data Custodian to obtain a signature for permission to the access requested.
  3. The Data Custodian returns the signed, or a reason for unsigned, letter granting access, to the Information Systems Access Administrator.
  4. The Information Systems Access Administrator will make the necessary changes to create the appropriate accesses.

Considerations

The Data Custodian must be familiar with the data to know how that data effects the business functions of the University Community. The familiarity of the data will guide the Custodian to make the appropriate decisions for controlling data definitions to ensure the data conforms to the consistent definitions over the life of the data.

All mainframe accesses are in transaction groups. To ensure the accesses are appropriately granted, the Data Custodian must be familiar with the transaction groups. The transaction groups consist of transactions that are similar, such as data, update capabilities of a particular file, etc. If the Data Custodian grants access to a single transaction, this may be granting access to several other transactions depending on how many are in the same group. The Data Custodian must acknowledge all the transactions being authorized when signing access for a single transaction. The Data Custodian is responsible for granting access to the University's data. In addition, keep in mind just because a transaction is display only, consider what data is being displayed, is it sensitive or public.

Once the Data Custodian acknowledges which transactions are included, the Data Custodian must decide if the position requesting that transaction should be able to access every transaction in the group. If a position is questionable for access to a (some) particular transaction(s), the requester or their supervisor should be contacted. The Information Systems Access Administrator is only the administrator and coordinator of accounts, not the person to make the final decision of who should have access to what data.

Information Systems Access Administrator

Systems Programmer

This section defines the duties that are expected of the systems programmer and/or the Information Systems Access Administrator during the entire automation process. This is a position in the Network Services branch of Information Systems. A person must have the position of a Systems Programmer before he/she can obtain the title of Information Systems Access Administrator. Information Systems Access Administrator is a title that is given to a Systems Programmer that can handle the security functions. Systems Programmer is the job classification that is given to an employee from the Human Resource Office.

Systems Programmer's Responsibilities

  1. Notify the User of their CICS security access, their TSO security access or both.
         A list of authorized transactions for an employee's position is sent to the employee through campus mail. The employee's signon name and password formula to access their CICS transactions is at the top of the transaction list. At this time, the password must be changed within five working days. If the password is not changed, the CICS signon will then become inactive. To reactivate the CICS signon, a picture ID must be brought to Room 136H in Julian Hall.

    If the employee is authorized for TSO access, the Information Systems Access Administrator calls the employee, via telephone, and states the TSO user ID and the password formula. When the TSO user logs onto TSO, the password must be changed immediately. The TSO user has five working days to change the password or else the TSO user ID is revoked. If the TSO user ID is revoked, the user must come to Julian Hall 136H with a picture ID to get the TSO user ID active again.

    At the present time, a phone call is given to the TSO user because there are not very many requests. Once TSO becomes more popular, a program will be written to generate the necessary information for TSO, similar to the CICS letter.

    Note: The letter the user receives when obtaining a new position at the University (either new to the University or changing departments and/or positions at the University) contains the CODE OF RESPONSIBILITY FOR SECURITY AND CONFIDENTIALITY OF DATA on the back of the formatted letter. Each employee at the University using CICS must see a copy of the CODE OF RESPONSIBILITY FOR SECURITY AND CONFIDENTIALITY OF DATA.

  2. Maintain the list of Extra Help personnel, Graduate Students, Guest Accounts, Student Help and positions having not eligible position numbers at the University having CICS or TSO security access.
  3. Review all RACF security violations reports that are generated.

Systems Programmer's Yearly Responsibilities

Once a year, around February, the Information Systems Access Administrator sends an audit report to every Data Custodian. This includes a memo, a list of all job classes, departments and positions or job classifications and departments that have access to their transactions and datasets and an authorization form to be signed by the Data Custodian.

Glossary

Access Database: The database maintained by the Information Systems Access Administrator. This database contains the appropriate CICS security access for every position at the University.

Critical Data: Data that is critical to the business functions of the University.

Data: Information displayed either in straight text format, on a screen or by a CICS transaction.

Data Custodian: Individuals delegated by University Management to provide the means for controlling the information resources within the Data Custodian's units. Data Custodians must authorize all CICS security access.

Data Security Administrator: A position in the Administrative Computing branch of Information Systems that monitors all security issues.

ISI Database: A database that stores all of the employee, both faculty and staff information for each individual employed at Illinois State. This includes salary and position information.

Information Systems Access Administrator: A position in the Network Services branch of Information Systems that maintains all security issues for the mainframe.

Profile: Data that describes the significant characteristics of a user, a group of users, or on or more computer resources.

Public Data: Data that anyone should be able to see, open to the public.

RACF Administrator: A person designated to assign all RACF security for the operating system's resources.

RACF database: A collection of interrelated or independent data items stored together without unnecessary redundancy, to serve RACF.

Sensitive Data: Data that is sensitive in nature, personnel and private information.

University Management: Consists of the President, the Vice Presidents, Department Chairs, Department Deans and Directors at Illinois State.