Incident Policies
As a key feature of the Analytics, Reporting, and Incident Management product within the Kisi One Security Platform, Incident Policies bring a robust solution to monitoring and managing security incidents. This feature empowers admins with real-time notifications and proactive response capabilities, ensuring that you can swiftly address and review security events. With Incident Policies, you gain comprehensive oversight and timely action, enhancing your overall security management and providing greater peace of mind.
Incident types
Currently, Kisi’s Incident Policies offer the following types:
- Door Held Open: Receive alerts when a door remains open beyond a specified time. Notifications will continue at set intervals until the door is closed, ensuring that any potential security issues are addressed promptly.
- Impossible Travel: Get notified when access events occur in locations that are geographically too distant to be realistically covered by the same user within the given timeframe. This helps identify potential unauthorized access attempts or compromised credentials.
- Hardware Outage: Alerts for hardware malfunctions or failures that impact security operations, e.g., "Hardware outage in the New York office."
Additional incident types will be introduced in future releases:
- Tailgating: Alerts for when tailgating is detected, allowing you to address instances where unauthorized individuals follow authorized users into restricted areas.
- High Digital Credentials Usage: Future updates will include alerts for unusually high usage of digital credentials, helping to detect potential misuse or compromised access.
- Excessive Access Denial: Receive notifications when there are frequent access denials across multiple doors, which could indicate potential issues with access control or attempts to breach security.
Fully customizable Incident Policies
You can define different incident policies for various locations within your organization and customize them based on type, severity level, instructions, and audience.
Define incident severity level
When setting up policies, you can assign a severity level to each incident policy. The available severity types are:
- Info: For informational alerts that do not require immediate action.
- Warning: For incidents that suggest a potential issue that should be monitored.
- Critical: For urgent incidents that require immediate attention and action.
Share instructions on how to handle an incident
Additionally, you can include specific instructions with each incident policy. These instructions will be displayed along with the incident alert, providing clear guidance to the responsible team members on how to handle the situation. See below some examples:
- Severity level: Info
- Severity level: Warning
- Severity level: Critical
Instruction example: "Review the incident and log any relevant details. No immediate action is required, but monitor the situation for any changes. Close the incident after ensuring all information has been documented."
Instruction example: "Acknowledge the incident and notify the on-call team member. Monitor the situation closely, and take preemptive action if necessary. Document any findings and close the incident once the issue has been resolved or if no further action is needed."
Instruction example: "Immediately acknowledge the incident and assign it to the responsible team member. Investigate the cause and take corrective action to resolve the issue. If the situation cannot be contained, escalate to higher management. Document all actions taken and close the incident only after confirming that the threat has been neutralized."
Set the right audience
To ensure that the right people are informed, you can define multiple users to receive incident notifications. Alerts can be sent via web, email, or push notifications, making it easy to keep relevant personnel informed and ready to respond.
Handling incidents
Once an incident occurs, the admin can assign a responsible user to manage the situation. Depending on how the incident is handled, it can move through one of four statuses, each representing a different stage in the incident management process:
- Open: This status indicates that a new incident has been detected and is pending review. No action has been taken yet, and it remains active in the system.
- Acknowledged: After the assigned user reviews and recognizes the incident, they can change its status to Acknowledged. This means that the incident is being actively monitored or investigated but is not yet resolved.
- Resolved: When the incident has been fully addressed and all necessary actions have been taken, it can be marked as Resolved. This status signifies that the issue has been dealt with, and the incident is closed.
- Dismissed: If the incident is determined not to be a security threat and requires no further action, it is marked as Dismissed. This status indicates that the incident has been reviewed and found to be non-critical, with no further follow-up needed.