Announcement Date
Wednesday, December 10, 2025 - 10:00
Dear Colleagues,
Following the recent University notification (email copy below) regarding mandatory information security training, we want to remind you that all Weitzman faculty, staff, postdocs, student workers, and contingent workers must complete the required training by December 31, 2025.
You can access the training here: (https://isc.upenn.edu/security/aware/infosec_online_training) or directly in Workday Learning (PennKey login required).
To reinforce the importance of this requirement, we want to share the results of a simulated phishing exercise conducted by Weitzman IT in November. A message titled “Action needed: O365 authentication update” was sent to faculty, staff and PhDs. The results showed that 55% of recipients opened the message, and 16% clicked the phishing link—significantly higher than the typical 3–5% industry benchmark. These findings underscore the continued need to strengthen our community’s awareness of IT security best practices in order to protect individual users and University systems.
The University-mandated course consists of three short modules (about five minutes each) in Workday Learning, each followed by a brief assessment. Please complete the training as soon as possible to help safeguard yourself, your data, and the University.
Thank you for your cooperation.
If you have any questions, please reach out to ithelp@design.upenn.edu
***************************************************************************************************************
Subject: Information Security Training
Dear Colleagues,
We want to make you aware of a new information security training course that will be required of all Penn faculty, postdocs, student workers, and staff, including contingent workers and temporary workers. The course, titled “Information Security at Penn: A Practical Guide,” is part of the University’s ongoing efforts to strengthen our community’s ability to protect institutional systems and information, and you.
Why It Matters
- Ensuring the security and integrity of the University’s systems and information is critical to Penn’s mission. Cyber threats pose a serious and persistent risk. Criminals are increasingly targeting individuals, and some members of our Penn community have experienced account compromises.
- On October 31, 2025, systems supporting Penn’s development and alumni activities were accessed using stolen credentials obtained through a sophisticated form of identity impersonation known as social engineering. It is essential that our community remains vigilant and prepared to recognize and report these types of attacks—especially suspicious phone calls or emails that may be phishing attempts. This training will equip every member of our community with practical skills to recognize and prevent threats before they can cause harm to you or the University.
What to Expect
- You will need to complete three short training modules, approximately five minutes each, asynchronously in Workday Learning.
- After each module, you will complete a brief learning assessment.
- Training completion is required by December 31, 2025.
- To protect our entire community, failure to complete the training may result in loss of access to University systems.
How to Access the Course
- The training can be accessed through the information security course website (https://isc.upenn.edu/security/aware/infosec_online_training), which includes a link to the training in Workday Learning (PennKey login required), answers to frequently asked questions, and additional resources on best practices in information security.
- You will also receive an email from Workday Learning when the course is assigned with information on how to access the training.
Anyone who completed this course in Workday Learning on or after September 25, 2025, is not required to retake the training.
If you have any questions after reviewing this information, please feel free to contact security@isc.upenn.edu.
Thank you in advance for your partnership and your participation in this important initiative.
John L. Jackson, Jr., Provost
Mark F. Dingfield, Executive Vice President
Josh Beeman, Interim Vice President of Information Technology & Interim University Chief Information Officer
***************************************************************************************************************