Time-based review rule

As a Business Steward or Owner for a domain, you can create Time-based Review Rule assets to trigger the review of assets in your domain, after an elapsed amount of time. This is particularly useful for scheduling reviews of your assessment assets, for some of which data privacy regulations encourage periodic reviews.

Time-based review rules are founded on the cron value specified in the Frequency attribute. At the specified frequency, a Review Request asset is created, prompting a review of the related asset. For more information on cron, see Cron syntax.

To eliminate the chance of overly frequent review requests, the cron value of the Frequency attribute is linked to the value of the Last Modified attribute of the related asset.

You configure a Time-based Review Rule asset to trigger the review of related Technology Assets every 12 months. Suppose, then, that a related Technology Asset is updated for a reason unrelated to your Time-based Review Rule asset. When the changes have been approved, its Last Modified date is updated. In accordance with the cron value specified in your Time-based Review Rule asset, the related Technology Asset will be reviewed 12 months after it was last modified.

Time-based reviews can only be triggered for assets that have the status Accepted or Approved.

You configure a Time-based Review Rule asset to trigger the review of all PIA assets 12 months after their status becomes Accepted. When the 12 months have elapsed:

  • A Review Request asset is created with the status New.
  • The status of the Time-based Review Rule asset does not evolve; it remains Accepted.
  • The following relations are established:
    • The Time-based Review Rule asset is related to the PIA by the relation type: Assessment assesses / is assessed by Asset
    • The Review Request asset is related to the PIA by the relation type: [Asset] impacts / is impacted by [Issue].

PIA assets cannot be updated (see Asset onboarding and change management), so you start the PIA workflow for the relevant asset.

  • The status of the new PIA is New.
  • The status of the original PIA remains Approved, until the new PIA asset is approved. At that time, the status of the original PIA asset becomes Obsolete.
  • For audit purposes, the relations between the related asset and both PIA assets remain intact.