Back to Monitoring component
Capability MO.4

Physical and Digital Activity Correlation

"Physical access to facilities is monitored and correlated with digital activity (e.g., badge data, CCTV, tailgating detection)."

This capability evaluates whether the organization has the ownership, process, evidence, and oversight needed to manage physical and digital activity correlation as part of a defensible insider risk monitoring program.

Scope & Context

What This Capability Means

Physical and Digital Activity Correlation assesses whether physical access activity can be reviewed and correlated with digital activity where appropriate, including badge data, facility access, CCTV, device use, and logon patterns.

Strategic Importance

Why This Capability Matters

Insider risk can span physical and digital environments. Badge access, facility presence, device activity, and system logons can reveal inconsistencies that single-source monitoring may miss.

AI Monitoring Context

AI can help correlate physical and digital activity, but physical-digital conclusions should remain explainable, proportionate, and subject to human review before any significant workforce or investigative action is taken.

Capability Assessment

Weakness vs. Maturity Indicators

Signs of Weak Capability
  • Physical access data is not available to insider risk workflows.

  • Badge, CCTV, facility, and digital activity are reviewed separately.

  • Impossible badge/logon combinations or tailgating indicators are not detected.

  • Physical access gaps are not reconciled or reported.

  • Credential disablement or response processes are slow or unclear.

Signs of Mature Capability
  • Physical access events are logged and reviewable through approved processes.

  • Physical and digital activity can be correlated for triage and investigation.

  • Rules or workflows flag impossible combinations and access anomalies.

  • Daily or periodic reconciliation identifies missing or inconsistent records.

  • Response teams can act quickly when physical-digital anomalies create risk.

Executive Oversight

Questions Leaders Should Ask

Security, legal, and operational executives can use these core questions to evaluate ownership, effectiveness, and evidence.

Can facility access data be correlated with digital activity?

Are badge and logon inconsistencies detected and reviewed?

Who can access physical-digital correlation data?

How are physical access gaps reconciled?

Can credentials be disabled quickly when risk is confirmed?

Defensibility & Audit

Evidence Examples

These artifacts demonstrate that the monitoring capability is operational, documented, and aligned with standard practices.

Badge access logs

Facility access monitoring procedure

CCTV access procedure

Physical-digital correlation rules

Reconciliation reports

Credential disablement workflow

Physical security escalation records

Alignment Mappings

Mapped Standards & References

Reference StandardRelevance Statement
NIST 800-53, r5 (3.11, PE-6)Supports monitoring of physical access to facilities and sensitive areas.

Use this mapping to ask:

  • Can facility access data be correlated with digital activity?

  • Are badge and logon inconsistencies detected and reviewed?

  • Who can access physical-digital correlation data?

  • How are physical access gaps reconciled?

Note: Standards mappings are provided for reference only. Organizations should validate applicability based on their regulatory environment, workforce locations, data types, internal policies, and legal obligations.
RiskTKO® Bridge

Related RiskTKO® Outcomes

Evidence CategoryOperational Example
Assessment evidenceBadge access logs, Facility access monitoring procedure, CCTV access procedure.
AI-related evidencephysical-digital AI correlation logic summary, human review record, exception review log, privacy approval for correlation use.
Risk evidenceRisk register item or exposure narrative tied to physical and digital activity correlation.
Roadmap evidenceRecommended action to improve physical and digital activity correlation, with owner, milestone, and completion status.
Executive evidenceExecutive summary showing current state, progress, remaining gaps, and risk reduction for physical and digital activity correlation.

RiskTKO® protects proprietary logic (scoring metrics, weights, questionnaire logic, automated roadmap planning) while operationalizing these evidence logs inside the assessment dashboard.

Operationalize This Capability

Assess MO.4 in RiskTKO®

The public framework defines what good looks like. RiskTKO® helps teams assess where they stand, identify gaps, prioritize what to fix, build a roadmap, and generate executive-ready evidence.