SIEM Checklist for KVKK Compliance: 15 critical Requirements

All institutions operating in Türkiye must comply with the Personal Data Protection Law No. 6698 (KVKK) and the Internet Law No. 5651. These two laws impose specific obligations on log management and security monitoring. If your SIEM system does not meet these obligations,big penalties in inspection — there is a risk.

In this article, we will explain how a SIEM can comply with KVKK and 5651.concretely what to doWe are examining.

Why SIEM and KVKK?

article 12 of the KVKK imposes an obligation on data controllers to "prevent unlawful processing of personal data" and "restrict access". This means in practice:

• Who has access to personal datashould be logged
• unauthorized accessshould be determined
• data breachNotification to KVKK within 72 hoursshould

SIEM ensures that these obligationsis a practical tool. Manual processes are not enough.

Checklist — 15 Requirements

1. Log Retention Period

As per 5651internet access logs minimum 6 monthsshould be stored. In some sectors (banking, health) this periodto 2 yearsup to .

Does your SIEM store logs in accordance with the legal period? How much is your storage planning for which plan?

2. Log Integrity

Logs in auditnot manipulatedmust be proven. Integrity verification with hash/signature is required.

• Is the SHA-256 hash of log files calculated?
• Are hashes stored in a separate, secure location?
• Is log tampering (deletion, change) detected?

3. Unauthorized Access Detection

KVKK article 12/1-a: "To prevent unlawful processing of personal data"

• Out of hours access attempts alarm
• Access alarm from new location
• Failed login chain (brute force)
• Abnormal activity with admin account

4. Data Breach Notification (72 Hours)

When a data breach is detectedwithin 72 hoursA notification must be made to KVKK. Your SIEM breachfast detectionshould be able to.

• MTTD (Mean Time to Detect) < 1 saat
• Incident management system integrated
• Automatic notification (e-mail, Telegram)
• Forensic evidence collection

5. Access Control and Audit Trail

Who accessed personal data and when should be logged.

• Audit log of each user transaction
• Immutable audit records
• Up to 7 years access log retention (for some sectors)

6. Data Minimization

In logsunnecessary personal datashould not be kept. For example, usernames and emails should be masked unless needed.

7. Geo Redundancy

To prevent loss of critical logsredundant storage. Preferably data center in Türkiye.

8. Data Storage Location

personal datatransfer abroadIt requires notification to KVKK. SIEM logs should be stored domestically.

9. Responsibility for Deleting User Transactions

KVKK article 7: If a user requests data deletion, it must be deleted from all systems. Including logs.

in your SIEMselective deletionDoes he have the ability?

10. 5651 Format — TIB Report

In accordance with law 5651, when requestedTIB (Information Technologies and Communications Authority)It is necessary to submit a log report in a specific format to:

• Source IP
• Destination IP and port
• timestamp (UTC+3)
• Protokol
• User information (if known)

Your SIEM will send this reportone clickCan it produce?

11. Sensitive Data Detection

Logs contain information such as identification number, credit card, e-mail, etc.sensitive datamust be detected and an alarm must be generated.

For example: "IDN: 12345678901" in a POST body = security incident.

12. Role-Based Access Control

Who has how much access to SIEM?

• Superadmin: everything
• SOC Analyst: log viewing, alarm management
• Auditor: read only, no changes
• Executive: dashboard and report

13. 2FA (Two-Factor Authentication)

KVKK guide,2FA is mandatory for critical systems. SIEM is a critical system.

14. Encrypted Storage

At-rest encryption — logs must be written encrypted on disk (TDE, FDE).

15. Signed, Timed Backup

Yedekler:

• Must be encrypted
• Must be time stamped (notary seal)
• Must be kept in an offline location (air-gapped)
• Restore tests should be performed monthly

Audit Preparation Checklist

To be ready when the KVKK audit comes:

1. ✅ Is the log retention policy written?
2. ✅ Is the last 6 months log available? (Can it be verified by random sample?)
3. ✅ Is data breach process documentation available?
4. ✅ Is the RBAC matrix written?
5. ✅ Are violations from the last 12 months listed?
6. ✅ Is there a root cause analysis for each violation?
7. ✅ Is 2FA active on all admin accounts?
8. ✅ Are backup test reports available?
9. ✅ Is the data processing inventory up to date?
10. ✅ Has a data controller (DPO) been appointed?

Ceza Boyutu

KVKK 2024 penalties:

• Non-compliance with data security obligation:Up to ₺1,800,000
• Not reporting a violation:Up to ₺200,000
• Violation of obligation to inform:Up to ₺200,000

These figures are updated every year.

Summary

• Brings specific obligations for KVKK and 5651 SIEM
• 4 basic topics: retention, integrity, access control, violation notification
• Logsdomesticallymust be kept (or foreign consent must be obtained)
• Audit preparationproactiveIt's a process, it's not last minute.
• Penalties are high — SIEM investmentrisk reductionis