STIGQter: STIG Summary: z/OS IBM CICS Transaction Server for ACF2 STIG Version: 6 Release: 6 Benchmark Date: 24 Apr 2020:

Sensitive CICS transactions are not protected in accordance with the proper security requirements.

DISA Rule

SV-7191r3_rule

Vulnerability Number

V-6896

Group Title

ZCICA025

Rule Version

ZCICA025

Severity

CAT II

CCI(s)

• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

The Systems Programmer and IAO will ensure the ACF2/CICS parameter PROTLIST is not coded.

Browse the ACF2/CICS data set allocated by the ACF2PARM DD statement in the JCL of each CICS procedure.

Make sure the PROTLIST parameter is not specified for all CICS regions.

Check Contents

a) Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(CICSPROC)

Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010.

b) Browse the ACF2/CICS data set allocated by the ACF2PARM DD statement in the JCL of each CICS procedure.

c) If the PROTLIST parameter is not specified for all CICS regions, there is NO FINDING.

d) If the PROTLIST parameter is specified for any CICS region, this is a FINDING.

Vulnerability Number

V-6896

Documentable

False

Rule Version

ZCICA025

Severity Override Guidance

a) Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(CICSPROC)

Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010.

b) Browse the ACF2/CICS data set allocated by the ACF2PARM DD statement in the JCL of each CICS procedure.

c) If the PROTLIST parameter is not specified for all CICS regions, there is NO FINDING.

d) If the PROTLIST parameter is specified for any CICS region, this is a FINDING.

Check Content Reference

M

Responsibility

Systems Programmer

Target Key

198

Comments