Why Cybersecurity Training and Attestation?

Cybersecurity Training and Attestation (previously "Cybersecurity Awareness Training") is significantly updated for 2025. It provides an overview of Cornell University's policies and practices that all users must follow to protect Cornell's data and systems. It aims to make individuals aware of cybersecurity threats and how to protect devices and data. It explains an individual's responsibility to work securely because a breach of an individual’s device can also harm others and the institution. Threats change and evolve, so training is an annual requirement of regulators and cybersecurity insurers.

The general assignment for ITSO102 FY25 Cybersecurity Training and Attestation begins in March 2025 and rolls out in batches. ITSO102 is assigned to most employees and contractors (there is no longer a different version for faculty). New hires are assigned the course on their start date. Supervisors can request approval of an assignment exception.

New for 2025 are questions about Sensitive Information Use, Security Practices, and Device Security that the ITSO will use to assess and reduce cybersecurity risk. Based on the answers (stored in Salesforce), the ITSO may contact an individual to see if there are opportunities to improve their cybersecurity. The information and resources presented in the training are available on IT@Cornell's Annual Cybersecurity Training and Attestation Training Resources page.

Tips for Taking the Training

The training will be automatically assigned to you, and you will receive an email from Workday Learning prompting you to take it. You can also find the training by logging in to Workday Learning then selecting My Learning. If you haven't yet completed the training, you will see it listed under Required Learning. You can also search for "ITSO102 FY25 Cybersecurity Training and Attestation".

For the best experience:

• Use Chrome as your web browser and disable popup blockers.
• Log in using your Cornell NetID as your username. Do not use Cornell email aliases or other email addresses.
• The training is intentionally brief.
  • Plan for 15-30 minutes to take the training (called ITSO102 FY25 Cybersecurity Training and Attestation). The length of the training will depend on your use of certain types of data.
• It will take 24 hours for your training completion to appear in Workday Learning.

Consequences of Not Completing the Training

Annual cybersecurity training is mandatory for all Cornell employees. Individuals have 45 days to complete the training from the date it is assigned, and will receive several email messages.

If you do not complete the training by the 45-day deadline, you see a warning page for the next 7 days when you try to log in to many Cornell applications and websites. After that 7-day extension, if you still have not completed the training, you will be unable to sign in to many university applications and websites. These restrictions may impact your ability to complete some or many of your job responsibilities. Disciplinary protocols may be considered with guidance from your HR representative.

Please contact the IT Service Desk if you believe your completion record is incorrect.

Managers and Leaders: Review Department Compliance

Managers, leaders, and HR representatives can review the cybersecurity training compliance status of their team (or for leaders and HR representatives, their college or unit) through the Workday report titled "Cybersecurity Awareness Training Is Overdue by Supervisory Organization." See this job aid for details. Managers will also receive Workday inbox notifications about those who have not completed the training.

Get Help

If you are having trouble accessing the training, believe you have already taken it, or have other questions, please contact the IT Service Desk.