Enterprise
Johnson Controls protects the digital environments that run our
business systems, support development, and host customer data
and applications. This is led globally by the Chief Information
Security Officer (CISO).
At Johnson Controls, our unified security control framework is
applied across the enterprise and is derived from industry
standards such as:
• National Institute of Standards and Technology (NIST) 800-53
• International Organization for Standardization (ISO) 27001
• Payment Card Industry Data Security Standard (PCI DSS)
Product
Johnson Controls designs cybersecurity into our commercial
product offerings and endeavors to protect those solutions
(including software, hardware and hosted solutions) throughout
the product lifecycle. Our secure product practices include the
design, sourcing, development, deployment, support and retirement
of products. All new Johnson Controls commercial products are
developed under the governance of our cybersecurity policies.
This is led globally by the Chief Product Security Officer (CPSO).
Secure Development Lifecycle
Johnson Controls is ISASecure Secure Development Lifecycle
Assurance (SDLA) certified. Johnson Controls branded solutions are
within the scope of this certification.
• Secure by design – Products adhere to established criteria
and include security controls for the intended operational
environment in compliance with applicable standards and
regulations.
• Security testing – Johnson Controls products undergo internal
and external assurance testing, including vulnerability scans and
penetration tests as required.
• Supply chain risk management – Johnson Controls validates
that third-party suppliers of essential products, components
and technology solutions meet our security requirements.
• Lifecycle risk management – Products are developed and
solutions are deployed in a way that helps our customer
meet their compliance requirements.
Cloud solutions – OpenBlue and others
OpenBlue is a complete suite of connected smart building solutions,
from edge to cloud. OpenBlue and other cloud-based solutions
from Johnson Controls hosted in Microsoft Azure, Google Cloud
or Amazon Web Services are protected environments that
conform to industry-recognized standards, such as:
• ISO 27001 – Information Security
• ISO 27017 – Information Security for Cloud Services
• ISO 27018 – Code of Practice for Personal Data in the Cloud
• SOC 1, 2, 3 – Service Organization Controls – Safeguarding
Confidentiality and Privacy of Information Stored and
Processed in the Cloud
Additional security compliance information for these environments
is available at:
• Google Cloud compliance website:
https://cloud.google.com/security/compliance/offerings#/
• Microsoft Azure compliance website:
https://docs.microsoft.com/en-us/compliance/regulatory/
offering-home
• Amazon Web Services compliance website:
https://aws.amazon.com/compliance/programs/
Data protection
When processing customer information, we have data protection
controls in place to strictly limit access to authorized personnel.
Sharing of data with third parties is defined by functionality and
terms associated with each solution and occurs when authorized
by the data owner.
Incident response
• Johnson Controls activates its security incident response
process and adheres to disciplined operating procedures
when responding to a security incident or breach.
• A tiered escalation and coordination process is followed
that includes initial triage, severity determination, and
customer notification.