In CICS option module for EXCI (DFHXCOPT), there is a parameter SURROGCHK=YES to authorize access to EXCI.

MODULE NAME = DFHXCOPT                                     
                                                           
DESCRIPTIVE NAME = CICS TS  External CICS Interface (EXCI) Options Module    

SURROGCHK:  Specifies whether a surrogate-user security check is to be performed when a userid is supplied in the EXCI parameter list.         
            * NO means do not perform a check.
            * YES means that a check is performed that the user executing EXCI has READ access to the resource "userid.DFHEXCI" in the SURROGAT resource class, where "userid" is the userid in the DFHXCIS parameter list.               

The default is YES.               

What needs to be done to protect "resource "userid.DFHEXCI" in the SURROGAT resource class," in Top Secret?

See the following documentation links:

SURROGAT Resource Class - Restrict Preset Security

User Identification, Authentication, and Network Security

Sample commands:

TSS ADD(ZDFLTUSR) SURROGAT(ZDFLTUSR.DFHEXCI)

TSS PER(ZCICSCSS) SURROGAT(ZDFLTUSR.DFHEXCI) ACCESS(READ)