Documentation · Compliance

Compliance mapping

A mapping of the concrete requirements internal and external auditors test to Mergen detections and controls — PCI-DSS v4.0, HIPAA, GDPR, KVKK (6698), BDDK, SOX/ISACA and ISO 27001:2022. Every Mergen detection carries the audit-trail fields regulators require: source host, event time, rule, statement, session user, and client IP.

Coverage: built-incustomconsoleroadmap

PCI-DSS v4.0

Source: PCI SSC — official standard + testing procedures
Req 10.2.1.2 — log all admin/DBA actions DBA-activity trail (user_in) + every detection carries user/time/host; login_audit. Per-action wire capture, not screenshots. custombuilt-in
Req 8.2.2 — shared/generic accounts attributable generic_account_usage recipe on known shared logins; attribution = the session user observed on the wire. custom
Req 7 — least privilege role_privilege_escalation, dangerous_grant, ddl_by_non_admin, non-app-access recipe. built-incustom
Req 10.4.1 — daily review workflow Console alert policies + delivery history. A review sign-off artifact is a console follow-up. consoleroadmap
Req 10.2.1.3 / 10.3.2 — audit-log tamper audit_tamper (ALTER SYSTEM logging), system_catalog_recon; the event store is append-only and off-host. built-in

HIPAA (45 CFR)

Source: HHS OCR — Audit Protocol
164.312(b) — audit controls over ePHI Full DB activity capture; PII/PHI rules (pii_content) fire on ePHI access. built-in
Logging enabled & generating? Fail-loud capture health: capture_stalled, framer_desync_burst, /metrics — proves capture is live, not silently blind. built-inconsole
164.308(a)(1)(ii)(D) — activity review, certified Console alerts + reports. A certified review sign-off is a console follow-up. consoleroadmap

GDPR

Source: EDPB Guidelines 09/2022; Regulation (EU) 2016/679
Art. 32 — detection capability Mergen is the detection layer — 53 rules + UEBA over live DB traffic. Absence of detection is itself a gap. built-in
EDPB — log correlation into alerts Sinks to SIEM (Kafka/OTLP/syslog/CEF/LEEF) + console correlation + policies. built-inconsole
Art. 33(5) — document all breaches Detections in ClickHouse = queryable timeline; console reports for the register. built-inconsole

KVKK (Kanun 6698)

Source: KVKK Kişisel Veri Güvenliği Rehberi + Kurul 2019/10
§3.2 — log all users of personal-data systems All DB activity captured; each detection carries user/time/host. built-in
§3.1 — privileged use + dormant accounts DBA-activity recipe; role-change rules. Dormant/terminated-access = roadmap. customroadmap
Erişim yetki matrisi + least-privilege ddl_by_non_admin, non-app-access recipe; console rule targeting (host/group/global). customconsole
Tablo 4.1 — logs · masking · IDS/IPS · DLP Access/log records ✅ · IDS/IPS = detection engine · data masking = PII masking in previews · DLP = exfil rules. built-in
Kurul 2019/10 — 72h breach notice Real-time detection + queryable timeline → fast detection/notification. built-in

BDDK (Turkish banking)

Source: Resmî Gazete 15.03.2020; BDDK denetim tebliği
Art. 13/1 — audit-trail record fields Every detection: host + event_time (UTC/tz) + rule + statement + user + src_ip — an exact match to the mandated fields. built-in
Art. 24/5 — external-audit minimum set SoD recipe, access/role rules, confidentiality (PII) rules, append-only store + retention. custombuilt-inconsole

SOX ITGC / ISACA

Source: ISACA — Access Controls, IAM/DB Audit Programs, PAM Framework
Change management SoD dangerous_ddl, ddl_by_non_admin + non-app-write recipe (who changed the schema). built-incustom
Privileged access + removal re-test Role-change rules log GRANT/REVOKE; removal verification is an IAM control (Mergen supplies the evidence). built-inroadmap
Privileged session monitoring + recertification Privileged-activity detection + SIEM sink. Recertification = IAM/GRC, outside DAM. built-inroadmap

ISO 27001:2022 Annex A

Source: ISO/IEC 27001:2022
A.8.15 Logging All DB activity capture + append-only store. built-in
A.8.16 Monitoring activities UEBA (ueba_anomaly, ueba_peer_anomaly) + 53 rules. built-in
A.8.2 Privileged access Role/priv rules + DBA recipe. built-incustom

Recipe: shared / generic account usage (PCI 8.2.2)

{
  "id": "generic_account_usage",
  "severity": "warning",
  "match": { "user_in": ["sa", "admin", "root", "postgres", "svc_shared"] },
  "message_template": "shared/generic account used: {kind} on {tables} by {user}"
}

Honest gaps

  • Review sign-off — a "reviewed & certified by X on date" record on alerts (PCI 10.4.1, HIPAA). Alerts + delivery history exist; a first-class sign-off is a console follow-up.
  • Access recertification — periodic re-approval of privileged users (SOX/ISACA). An IAM/GRC function; Mergen supplies the evidence, not the workflow.
  • Stateful identity anomalies — new_source_host, dormant_reactivation, account_sharing and impossible_travel (moving faster than physically possible; public IPs only) are all covered (advanced/UEBA, opt-in). Remaining: cross-fleet correlation of a user across all databases (console v2).

This mapping is a guide, not a certification; scope your controls with your assessor. Sources are primarily official (PCI SSC, HHS OCR, EDPB, KVKK Kurumu, Resmî Gazete, ISACA).