Documentation · Compliance
Compliance mapping
A mapping of the concrete requirements internal and external auditors test to Mergen detections and controls — PCI-DSS v4.0, HIPAA, GDPR, KVKK (6698), BDDK, SOX/ISACA and ISO 27001:2022. Every Mergen detection carries the audit-trail fields regulators require: source host, event time, rule, statement, session user, and client IP.
Coverage: built-incustomconsoleroadmap
PCI-DSS v4.0
Source: PCI SSC — official standard + testing procedures | Req 10.2.1.2 — log all admin/DBA actions | DBA-activity trail (user_in) + every detection carries user/time/host; login_audit. Per-action wire capture, not screenshots. | custombuilt-in |
| Req 8.2.2 — shared/generic accounts attributable | generic_account_usage recipe on known shared logins; attribution = the session user observed on the wire. | custom |
| Req 7 — least privilege | role_privilege_escalation, dangerous_grant, ddl_by_non_admin, non-app-access recipe. | built-incustom |
| Req 10.4.1 — daily review workflow | Console alert policies + delivery history. A review sign-off artifact is a console follow-up. | consoleroadmap |
| Req 10.2.1.3 / 10.3.2 — audit-log tamper | audit_tamper (ALTER SYSTEM logging), system_catalog_recon; the event store is append-only and off-host. | built-in |
HIPAA (45 CFR)
Source: HHS OCR — Audit Protocol | 164.312(b) — audit controls over ePHI | Full DB activity capture; PII/PHI rules (pii_content) fire on ePHI access. | built-in |
| Logging enabled & generating? | Fail-loud capture health: capture_stalled, framer_desync_burst, /metrics — proves capture is live, not silently blind. | built-inconsole |
| 164.308(a)(1)(ii)(D) — activity review, certified | Console alerts + reports. A certified review sign-off is a console follow-up. | consoleroadmap |
GDPR
Source: EDPB Guidelines 09/2022; Regulation (EU) 2016/679 | Art. 32 — detection capability | Mergen is the detection layer — 53 rules + UEBA over live DB traffic. Absence of detection is itself a gap. | built-in |
| EDPB — log correlation into alerts | Sinks to SIEM (Kafka/OTLP/syslog/CEF/LEEF) + console correlation + policies. | built-inconsole |
| Art. 33(5) — document all breaches | Detections in ClickHouse = queryable timeline; console reports for the register. | built-inconsole |
KVKK (Kanun 6698)
Source: KVKK Kişisel Veri Güvenliği Rehberi + Kurul 2019/10 | §3.2 — log all users of personal-data systems | All DB activity captured; each detection carries user/time/host. | built-in |
| §3.1 — privileged use + dormant accounts | DBA-activity recipe; role-change rules. Dormant/terminated-access = roadmap. | customroadmap |
| Erişim yetki matrisi + least-privilege | ddl_by_non_admin, non-app-access recipe; console rule targeting (host/group/global). | customconsole |
| Tablo 4.1 — logs · masking · IDS/IPS · DLP | Access/log records ✅ · IDS/IPS = detection engine · data masking = PII masking in previews · DLP = exfil rules. | built-in |
| Kurul 2019/10 — 72h breach notice | Real-time detection + queryable timeline → fast detection/notification. | built-in |
BDDK (Turkish banking)
Source: Resmî Gazete 15.03.2020; BDDK denetim tebliği | Art. 13/1 — audit-trail record fields | Every detection: host + event_time (UTC/tz) + rule + statement + user + src_ip — an exact match to the mandated fields. | built-in |
| Art. 24/5 — external-audit minimum set | SoD recipe, access/role rules, confidentiality (PII) rules, append-only store + retention. | custombuilt-inconsole |
SOX ITGC / ISACA
Source: ISACA — Access Controls, IAM/DB Audit Programs, PAM Framework | Change management SoD | dangerous_ddl, ddl_by_non_admin + non-app-write recipe (who changed the schema). | built-incustom |
| Privileged access + removal re-test | Role-change rules log GRANT/REVOKE; removal verification is an IAM control (Mergen supplies the evidence). | built-inroadmap |
| Privileged session monitoring + recertification | Privileged-activity detection + SIEM sink. Recertification = IAM/GRC, outside DAM. | built-inroadmap |
ISO 27001:2022 Annex A
Source: ISO/IEC 27001:2022 | A.8.15 Logging | All DB activity capture + append-only store. | built-in |
| A.8.16 Monitoring activities | UEBA (ueba_anomaly, ueba_peer_anomaly) + 53 rules. | built-in |
| A.8.2 Privileged access | Role/priv rules + DBA recipe. | built-incustom |
Recipe: shared / generic account usage (PCI 8.2.2)
{
"id": "generic_account_usage",
"severity": "warning",
"match": { "user_in": ["sa", "admin", "root", "postgres", "svc_shared"] },
"message_template": "shared/generic account used: {kind} on {tables} by {user}"
}
Honest gaps
- Review sign-off — a "reviewed & certified by X on date" record on alerts (PCI 10.4.1, HIPAA). Alerts + delivery history exist; a first-class sign-off is a console follow-up.
- Access recertification — periodic re-approval of privileged users (SOX/ISACA). An IAM/GRC function; Mergen supplies the evidence, not the workflow.
- Stateful identity anomalies — new_source_host, dormant_reactivation, account_sharing and impossible_travel (moving faster than physically possible; public IPs only) are all covered (advanced/UEBA, opt-in). Remaining: cross-fleet correlation of a user across all databases (console v2).
This mapping is a guide, not a certification; scope your controls with your assessor. Sources are primarily official (PCI SSC, HHS OCR, EDPB, KVKK Kurumu, Resmî Gazete, ISACA).