Mission Critical Cybersecurity and Data Privacy

Tyco Cloud has leveraged its server management and video services expertise to create and implement industry-leading secure software development, operational management, and threat mitigation practices, helping it to deliver services that achieve higher levels of security, privacy, and compliance than most customers could achieve on their own.

Tyco Cloud surveillance services undergo regular verification by third-party audit firms. Tyco Cloud shares audit report findings and compliance packages with customers to help them fulfill their own compliance obligations. By verifying that its services meet compliance standards and demonstrating how compliance was achieved, Tyco Cloud makes it easier for customers to attain compliance for the infrastructure and applications they run.

Although the Tyco Cloud video surveillance platform is cloud agnostic, its standard services run on the Azure platform. Microsoft engages in industry-leading security efforts through its centers of excellence, including the Microsoft Digital Crimes Unit, Microsoft Cybercrime Center, and Microsoft Malware Protection Center. Tyco Cloud adheres to a rigorous set of security controls that govern operations and support and works with other entities within Microsoft such as the Microsoft Operational Security Assurance (OSA) group to identify risks and share information, supporting continuous improvement in operational controls. This increases the ability to prevent, detect, contain, and respond to security threats.

For data in transit, Tyco Cloud uses industry-standard transport protocols such as SSL and TLS between cameras, gateways, devices, and data centers, and within the data centers themselves. Data at rest, such as recorded video, is encrypted and can optionally be secured using 256bit SHA keys to validate anti-tampering. For data segregation and private clouds, Tyco Cloud offers private cloud services to provide unique physical cloud instances for each of its customers. It also offers multi-tenant services, meaning that multiple customers’ deployments are stored on the same physical hardware. Tyco Cloud uses logical isolation to segregate each customer’s data from that of others. This provides the scale and economic benefits of multi-tenant services while rigorously preventing customers from accessing other’s data. For many customers, controlling the location of their data is an important element of data privacy, compliance and governance. Tyco Cloud customers can specify the geographic areas where their data is stored.

Tyco Cloud delivers a global 24x7 response service that works to mitigate the effects of attacks and malicious activity. The incident response team follows established procedures for incident management, communication, and recovery, and uses discoverable and predictable interfaces internally and externally to its customers.

Tyco Cloud provides also provides a global 24x7 access to our Product Security Incident Response Team (PSIRT) which includes a cyber security hotline for customers to contact Johnson Controls with issues or concerns around the clock and around the world.

Holistic Methodology

Under the JCI Cyber Program, the internal conformance standards established are:

· Secure Communications Cryptographic Functions

· Third Party Penetration Testing Standard

· Open Source Code Security Standard

· Application Threat Modeling Standard

· Open Source Software Security Audit-Standard Operating Procedure

· Threat Intelligence Program Standard

· Product Security Patching and Updating Documentation Standard

· Vulnerability Management Standard

Secure Development

Baseline design requirements that address core cyber threat categories for elevated security. Dedicated in-house cybersecurity test labs focused on discovering and neutralizing concerns before they reach customers. Extended testing, including bug bounty programs and 3rd party penetration testing, provides verification and validation assurance. Solution designed features that enable easier compliance with corporate policies Certified and trained experts driving design decisions.

Deployment Services

Customer education to help drive more secure installation. Thought leadership to build a pragmatic approach to address cyber risk. Compliance assistance to help you comply with industry and organizational policies Security documentation for IT acceptance.

Rapid Response

Rapid incident response to quickly respond and advise on vulnerabilities. Preemption solutions driven by ongoing threat and trend monitoring. Incident response designed in conformance with ISO standards for accurate and consistent vulnerability handling and disclosure.

Disruption is Not an Option

Operational technologies often provide critical functions which, if disrupted, can impact operational efficiency and profits and result in disclosure of sensitive information. Cyber-attackers whose aim is to cause disruption and loss have identified building and security systems as attractive targets. In today’s environment, cybersecurity plays a very crucial role in protecting building and security systems. Unfortunately, many system providers do not address cybersecurity or fall short of providing sufficient support, leaving many buildings under protected.

A Higher-Level Commitment

Johnson Controls’ approach to cyber protection is aimed at providing peace of mind to our customers. Our holistic cyber mindset begins at initial design concept, continues through product development, and is supported through deployment, including a rapid incident response to meet the comprehensive and evolving cybersecurity environments. Our methods include the ability to provide cyber resilient systems with a range of capabilities to complement the diverse security needs of our customers. We have invested in establishing a centralized dedicated Global Product Security team that is focused on managing our cyber practices with governance to enforce compliance. At Johnson Controls, we are disciplined in executing these as we understand what is at risk if we don’t.

Expert Driven Designs

Having engineering teams trained in cybersecurity has given Johnson Controls an advantage in developing products that consider cybersecurity within its core design. Our certified cybersecurity experts (CISSP, CSSLP, CEH, CCSP etc.) work to validate designs using the latest recognized industry standards and practices. Expert driven cybersecurity designs provide the forethought required to reduce risk.

Lifecycle Management

Our cyber protection approach begins with the design and doesn’t stop once a product is developed – a product secure today may not be secure tomorrow. Through the rapid incident response service, our dedicated cybersecurity team quickly assesses new threats and vulnerabilities and advises customers on how they may reduce their cybersecurity exposure.

Shared Responsibility

Since protecting against cyber threats is a shared responsibility, we engage in market facing programs to provide customer engagement, education, and thought leadership to help our customers achieve success in their mission of a more secure system.

Select Security Features

In addition to industry leading standards for cyber and data protection, Tyco Cloud also implements the following security features to support customer security:

· Encryption at rest and during transmission

· AES-192-CBC encryption for video security

· TLS 1.2+ encryption for network transport security

· No Plugins or Flash

· Strictly enforce strong user passwords

· Rotating strong device passwords unique per device

· Signed firmware from trusted sources for OTA updates

· Disable all ports/processes outside of Tyco Cloud services

· HTTPS/SSH only access to services

· Monitor all processes to detect intrusion/malware

· Two-factor setup authentication

· Latest and strongest cryptography technologies

· Internal security audits

· External third-party security audits

· External third-party pen testing

· SSL pinning

· Trusted Certificates

· Known Reciprocation

· No default usernames or Passwords allowed

Hosting Infrastructure

The Tyco Cloud software as a service platform runs on Microsoft’s Azure global data center infrastructure. All aspects of data center security infrastructure are ISO27001 and SOC2 compliant operating under the shared responsibility model with Microsoft.

Learn more here: https://www.microsoft.com/en-us/trustcenter/Compliance/ISO-IEC-27001.

Common Security Questions

Security policies and certificates

Is a security policy available for the use of devices by employees?

Yes

Johnson Controls corporate policy

Are regular security awareness training sessions on data and information security carried out with employees? How regularly?

Yes

Minimum once per quarter

Is a CSO (Chief Security Officer) available who can be contacted regarding security-relevant topics?

Yes

Jason Christman (Johnson Controls Vice President, Global Products Cyber Security)

Physical data center and Service Delivery Locations

Is video surveillance available along the entire perimeter?

Yes

Is a building management system available?

Yes

Is a burglar alarm system installed?

Yes

Is the site monitored 24/7 by an on-site security service?

Yes

Is there a staffed reception desk at which all visitors have to register?

Yes

Is access to the data center and SDL logged automatically?

Yes

Our services and applications are hosted on Microsoft Azure. Please refer to https://docs.microsoft.com/en-us/azure/security/azure-physical-security

Is two-factor authentication available for access to the data center and SDL? What factors?

Yes

Phone

Are the rooms in the data center and SDL divided into security zones? (e. g. general spaces, customer reception area, server room)

Yes

Our services and applications are hosted on Microsoft Azure. Please refer to https://docs.microsoft.com/en-us/azure/security/azure-physical-security

Are access permissions for individual security zones granted based on the principle of least privilege?

Yes

Our services and applications are hosted on Microsoft Azure. Please refer to https://docs.microsoft.com/en-us/azure/security/azure-physical-security

Are the data centers clustered? If so, how exactly? (e. g. continental, regional, metro or campus cluster)

Yes

Azure regions

Is clustering used to avoid data loss? (e. g. automatic replication)

Yes

We use Azure data centers. Please refer to https://docs.microsoft.com/en-us/azure/security/azure-physical-security

Is the service provided internationally? Which data centers and SDLs are used for this purpose?

Yes

Azure has data centers in over 140 countries

Are the data centers and Service Delivery Locations used the property of the service provider?

We use Azure data centers. Please refer to https://docs.microsoft.com/en-us/azure/security/azure-physical-security

Is the building secured against external forces in the event of force majeure? (e. g. tree falls on building, truck drives into building) – ISO 27001

Yes

We use Azure data centers. Please refer to https://docs.microsoft.com/en-us/azure/security/azure-physical-security

Does the data center have windows?

We use Azure data centers. Please refer to https://docs.microsoft.com/en-us/azure/security/azure-physical-security

Does the data center and SDL have a fire safety plan? (e. g. early detection systems, fire alarm system, smoke alarms, extinguishing equipment, regular fire drills)

Yes

We use Azure data centers. Please refer to https://docs.microsoft.com/en-us/azure/security/azure-physical-security

Are server racks/rooms protected from physical access? (e. g. by a combination lock)

Yes

We use Azure data centers. Please refer to https://docs.microsoft.com/en-us/azure/security/azure-physical-security

Can it be guaranteed that data processing is permanently carried out at the same location?

Yes

We use Azure data centers. Please refer to https://docs.microsoft.com/en-us/azure/security/azure-physical-security

Would customer be informed of changes to the data center infrastructure? How far in advance?

Yes

This can be discussed in the agreement, but in general it's between 30 - 60 days in advance

Is it possible to carry out pre-announced audits in the data center or service delivery Locations?

Yes

We use Azure data centers. Please refer to https://azure.microsoft.com/en-us/overview/trusted-cloud/

Is it possible to carry out pre-announced penetration tests of the platform?

Yes

Processes

Is a change management process established and documented?

Yes

Are change requests documented, approved by authorized persons and backed up? Is their scope of business impact evaluated?

Yes

Are changes tested in advance in order to allow potential effects to be identified?

Yes

Is a test environment available for change management and is it used for pre-testing?

Yes

We have multiple environments for development, QA, Staging, Pre-Prod and Production.

Are changes to the existing infrastructure (updates) and to the application (new version) communicated to customer? How far in advance?

Yes

This can be discussed in the agreement, but in general it's between 30 - 60 days in advance

Will the discontinuation of the service be communicated to customer?

Yes

This can be discussed in the agreement, but in general it's between 90 - 180 days in advance

Is a patch management process established and documented?

Yes

Are all operating systems, applications and business-critical servers patched within 30 days of a release?

Yes

Are software updates and patches pre-tested in order to enable the early identification of potential effects?

Yes

Is a test environment available for pre-testing the patch management process?

Yes

Is a security incident management process established and documented?

Yes

Please refer to Johnson Controls Cyber Security document (attached)

Are all system-relevant incidents that affect services and systems used for customer directly forwarded to customer?

Yes

Describe your security response plan.

Yes

Please refer to Johnson Controls Cyber Security document (attached)

Can a report on security incidents be provided on a regular basis?

Yes

This can be discussed in the agreement

Is there 24/7 monitoring of the availability of infrastructure for services and resources?

Yes

Are all SLA-relevant events recorded and retained for at least 90 days? Which parameters? (e. g. network capacity, latencies, etc.)

Yes

Is the monitoring evaluated on a monthly basis in the scope of reports? (e. g. SLA report & capacity report)

Yes

Are the activities of the cloud service provider’s administrators recorded and monitored?

Yes

Application

Describe the solution architecture, multiple tiers (e.g. database, app, web), network, and technical security controls. Please provide a diagram.

Yes

Please see attached architecture document

Does your network have any single points of failure? If so describe them.

Is a user management process established?

Yes

Are account passwords able to conform to our password policy?

Yes

We enforce strong complex passwords with a minimum of 8 characters containing two upper-case, two lower case, one special character, and one number. We can extend our password policy to conform to customer's password policy.

Are generalized user accounts used for access to the systems?

Yes

Will customer be granted control over the encryption keys?

Can customer define the period for which data is retained?

Yes

Is all access automatically logged within the application?

Yes

It is not automatically logged, however it can be easily setup.

Infrastructure

Is a web application firewall used to protect the web infrastructure?

Yes

https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview

Are measures taken to protect against DDOS attacks? What measures?

Yes

We have rate limiting and IP whitelist/blacklist

Is network segmentation used between the management network and the live network?

Yes

Is it only possible to establish a secured connection to a remote access session? (e. g. SSH, TLS, IPSEC, VPN)

Yes

Is encrypted communication between individual data centers guaranteed? (e. g. in the event that multiple data centers are used)

Yes

Our services and applications are hosted on Microsoft Azure. Please refer to https://docs.microsoft.com/en-us/azure/security/security-network-overview

Is data only exchanged in encrypted form with external service providers that are necessary for the operation of the data center?

Yes

Do firewall rules have to be activated for the use of the application? Which firewall rules?

Our systems communicate via HTTPS and TLS 1.2 over standard port 443.

Is there the option to establish a permanent, secure and encrypted connection between the designated data center and customer? (e. g. VPN via IPsec or MPLS)

Yes

This will require a dedicated cloud instance for customer and custom network security group setup with VPN

Is there a system in place to automatically recognize interrupted connections?

Yes

Can a fixed bandwidth be guaranteed for customer?

Yes

This will require a dedicated cloud instance for customer.

Do database or web servers run on different, dedicated systems or virtual machines?

Is it possible to operate all used systems in a dedicated way for customer? What are the exceptions?

Yes

This will require a dedicated installation instance for customer

Are all operating systems, applications and servers hardened? Or will this happen?

Yes

Is the processed data stored in a partition that is independent of the operating system?

Yes

Are the servers secured by a host based IPS?

Do the servers support SSL Perfect Forward Secrecy?

Yes

Are all virtual systems used implemented using certified software? (e. g. VM-Ware, MS Hyper-V)

Yes

Are support contracts in place with responsible service providers for all software and hardware components used?

Yes

Are the services provided protected against failure? How?

Yes

All services and applications in the cloud are protected against failure by leveraging Azure technologies. The gateway appliance server on customer site can be protected against failure using RAIDs and UPS battery.

Are backups carried out regularly? What is stored in the scope of a backup and how often?

Yes

All services and applications in the cloud have automatic backup and replication using Azure technologies. The gateway appliance server on customer site can backup data to our cloud.

Are backups retained? For how long (months)?

Yes

Depends on the use case

Can customer have an influence on the time and scope of the data backup? To what extent?

Yes

You can select and configure data retention and what data to backup to the cloud.

Is anti-virus software with current virus patterns in use within the environment infrastructure?

Yes

Is incoming, processed and outgoing data checked for viruses?

Yes

Business continuity management

Are emergency drills for the failure of critical components (e. g. Internet connection, power supply, network) carried out regularly?

Yes

We use Azure data centers. Please refer to https://docs.microsoft.com/en-us/azure/security/azure-physical-security

Contract design

Are there regular audits and certifications to check and certify data protection with the contractor and the obligations towards the client?

Yes

Is customer obliged to accept fixed service quotas?

Will customer have access to data and services in the event customer fails to pay?

Customer will have access to data that is stored locally on gateways, but may not have access to video stored on the Cloud.

May you please provided your data retention policy?

Yes

Events data are stored for up to 180 days (can be longer depending on customer needs). Video data are stored locally and/or in the cloud based on available disk space and customer needs.

Is it ensured that the data will actually be deleted upon customer’s request?

Yes

Is a source code deposit available?

Yes

Is the software used linked to a specific platform? Which one?

Service Level Agreement (SLA)

Can it be contractually ensured that customer will be proactively informed of interruptions or failures that affect the infrastructure used by customer?

Yes

Are specific maintenance slots and patch days defined for the designated infrastructure?

Yes

customer can schedule updates & patch fixes in coordination with Tyco Cloud

Data protection

Has a company data protection officer been appointed in writing? (Please specify the contact details and list this person's fields of activity)

Yes

Johnson Controls has Chief Data Privacy Officer

Are employees obligated to comply with data and business confidentiality regulations?

Yes

Are there any policies on data protection law and work instructions regarding the handling of personal data?

Yes

Is it possible to restrict the location for data storage to US or other countries if required due to legal or governmental requirements of customer?

Yes

Is a sufficient level of data protection provided even outside of the US?

Yes

Cloud and eCommerce Services

Are services expose to the Internet? If so list them. (Examples: HTTP(S), FTP, SSH, etc.)

Yes

HTTPS & SSH

Is Two-Factor Authentication offered? If so, what types?

Yes

Two-factor authentication via SMS and email will be released later this year

Is the service PCI compliant? If yes provide your PCI AOC. If your cart is third party, please provide the vendor's AOC.

Yes

We use Stripe for ecommerce (https://stripe.com/guides/pci-compliance)

Is the solution compliant with PCI standards for new deployments?

Yes

We use Stripe for ecommerce (https://stripe.com/guides/pci-compliance)

Do you use a separate gateway/payment processor?

Yes

We use Stripe for ecommerce (https://stripe.com/guides/pci-compliance)

Is the e-com platform hosted within a single tenant environment?

Yes

We support both single-tenant and multi-tenant deployments

Do you store any customer personal information? If so, please provide details on how this information is protected.

Yes

https://www.johnsoncontrols.com/legal/privacy

How is customer card information secure for data in use, transit, and rest?

Yes

We use Stripe for ecommerce (https://stripe.com/guides/pci-compliance)

Is Denial of Service protection is offered?

Yes

Provide details how sessions are managed, specifically as they relate to transaction and/or shopping cart operation.

Yes

Sessions are managed through short-lived access token. The integration with Stripe is done only on our cloud backend using Stripe API.

GDPR Privacy Shield Compliance

Tyco Cloud solutions are certified as Johnson Controls, Sensormatic Electronics LLC under the EU-U.S Privacy Shield and Swiss-U.S. Privacy Shield Frameworks. The Global Public Privacy Notice applicable to Personal Data other than Human Resources data is available here: https://www.johnsoncontrols.com/legal/privacy.