CICS/Lock Modernization Guide

CICS/Lock automatically locks inactive CICS 3270 sessions. When a session is inactive for a defined period, the product displays a logon screen, requiring the user to re-enter their password to regain access. This helps prevent unauthorized access to sensitive CICS applications and data.

CICS/Lock is a security tool designed to enhance the security of CICS environments. It is not a system or application in itself, but rather a utility that adds an extra layer of protection to existing CICS applications.

Organizations that rely on CICS for transaction processing and require enhanced security for their 3270 sessions will find CICS/Lock beneficial. This includes financial institutions, insurance companies, retail businesses, and government agencies.

Consider using CICS/Lock when you need to enforce stricter security policies for CICS sessions, prevent unauthorized access due to unattended terminals, and comply with security regulations. It is especially useful in environments where sensitive data is displayed on 3270 screens.

Alternatives to CICS/Lock include manual session timeout configurations within CICS, other third-party CICS security products, and implementing broader security solutions that encompass mainframe access control. CICS/Timeout is a related product that provides similar functionality.

CICS/Lock runs on z/OS and requires the CICS transaction processing system to be present. It operates within an LPAR and integrates with CICS to monitor and control 3270 sessions. No other specific subsystems are explicitly required, but a security manager like RACF, ACF2, or Top Secret is typically used for password validation.

CICS/Lock typically integrates with existing security managers such as RACF, ACF2, or Top Secret for user authentication. It intercepts CICS terminal input to enforce the password re-entry requirement after a period of inactivity. The product enhances CICS security without requiring major modifications to existing CICS applications.

The core component of CICS/Lock is a CICS transaction that monitors terminal activity. When inactivity is detected, this transaction initiates a password re-entry screen. The product also includes configuration files to define timeout values and other parameters.

Configuration files are used to define the inactivity timeout period, the appearance of the password re-entry screen, and other operational parameters. These files are typically customized during implementation to meet specific security requirements.

CICS/Lock enhances the security posture of CICS environments by preventing unauthorized access to unattended 3270 sessions. This reduces the risk of data breaches and helps organizations comply with security regulations. The product provides a cost-effective way to improve security without requiring extensive application changes.

Without CICS/Lock, organizations are more vulnerable to unauthorized access to CICS applications and data through unattended 3270 sessions. This can lead to data breaches, compliance violations, and reputational damage.

The licensing model for CICS/Lock is typically based on the number of CICS CPUs or LPARs where it is installed. The total cost of ownership includes the initial license fee, annual maintenance fees, and the cost of implementation and customization.

CICS/Lock supports authentication through integration with external security managers like RACF, ACF2, and Top Secret. It leverages these systems to validate user credentials during the password re-entry process. The product itself does not store or manage user passwords.

CICS/Lock uses an access control model based on existing CICS security configurations and the security manager in use (RACF, ACF2, Top Secret). It enhances this by adding an additional layer of security through mandatory password re-entry after inactivity.

CICS/Lock does not directly encrypt data. However, it enhances security by requiring password re-entry, which helps protect sensitive data displayed on 3270 screens from unauthorized viewing.

CICS/Lock provides audit logging capabilities to track session lock and unlock events. These logs can be used to monitor security activity and identify potential security breaches. The logs typically include timestamps, user IDs, and terminal IDs.

CICS/Lock is typically deployed on-premise, as it is designed to run within a z/OS environment alongside CICS. The implementation involves configuring the product to integrate with the existing CICS security infrastructure.

Implementing CICS/Lock requires a moderate level of technical expertise, including knowledge of CICS, z/OS, and security managers like RACF, ACF2, or Top Secret. The implementation team should be familiar with CICS transaction processing and security concepts.

Ongoing operational requirements include monitoring the CICS/Lock logs for security events, maintaining the configuration files, and ensuring compatibility with CICS and security manager upgrades. Regular security audits should also be performed to verify the effectiveness of the product.

Common implementation challenges include ensuring seamless integration with existing CICS applications, configuring the product to meet specific security requirements, and resolving conflicts with other CICS security products. Thorough testing is essential to avoid disrupting CICS operations.