Cornerstone OnDemand

Cornerstone Core HR Suite for Public Sector

Cornerstone HR gives a complete view of the organisational workforce across business entities, divisions, locations, departments, cost centers, etc. With a primary source of truth for core employee and talent data, via a modern centralized interface, organisations can make smarter people decisions to improve business performance.

Features

  • Consolidate data from many sources, payroll, time, attendance, HR systems
  • Allow employees,managers to access & change personal information anytime
  • Workflows, Automate document routing, tracking and notifications
  • Adherence to Regulations and Internal Policies, Pull compliance reports easily
  • Automate manual HR processes to improve data quality
  • Reporting, historical, current and future data with effective dating
  • Generate approval workflows to streamline and standardise processes
  • Utilize flexible ‘Organisational Unit’ architecture to manage across departments
  • Consolidate data across multiple disparate HR systems
  • Integrate with leading global payroll, benefits, time & attendance systems

Benefits

  • Centralize your employee data across your organisation.
  • Manage existing HR system data via one centralised Cornerstone hub
  • Improve retention and increase productivity
  • Run reporting on comprehensive workforce data across systems
  • Employee, manager self-service, reducing HR tedious data management
  • Ensure compliance standards are met with configurable dashboard reporting
  • Leverage robust, user-friendly employee profiles to access, maintain employee data
  • Ensure accurate and up-to-date data is exportable
  • Deploy and optimise system within a short time
  • Reduce maintenance costs of legacy systems or clunky systems implementations

Pricing

£5.00 to £20.00 per user per year

Service documents

Framework

G-Cloud 11

Service ID

4 4 3 8 1 6 8 9 5 9 0 1 5 3 0

Contact

Cornerstone OnDemand

Julian Turner

07788 291438

jturner@csod.com

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Full Integration with the Cornerstone Suite, which can seamlessly tie employee learning and performance metrics to give executives and managers a clear picture of how learning initiatives impact organisational success.
Cloud deployment model
Public cloud
Service constraints
No, Cornerstone is a Software-as-a-Service. Users can access the application at any time and from anywhere through the internet. In addition, Cornerstone has broad experience in developing highly stable single sign-on linkages with its clients. End users will be able to access the infrastructure seamlessly with one login and from a specified location on the client’s network.

Cornerstone are happy to provide specific hardware configurations or requirements upon request.
System requirements
  • As a SaaS Service - there are no hardware requirements.
  • Minimum Desktop Requirements: Recommendations upon request
  • Supports Mobile Device Enablement: Recommendations upon request
  • There are no software maintenance, and no network administration requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response time 1 hour. Included Level Support provide as standard in the software subscription fee at no additional cost and includes 24x5 live emergency phone support 24/7 for S1/S2 Level Tickets. Phone Support is available M-F, 24 Hours. In addition, clients can submit an unlimited number of cases and have 24 hour visibility to those cases through our online portal MySuccess.

Cornerstone offers various support packages, with varying levels of access, availability, and services at an additional cost. Which include enhanced service levels and 24x7 live phone support.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
All support options include:
- OnDemand’s self-service resources is available 24/7 through the web interface within the Cornerstone application.
- Case Management Tools:Available 24/7 via self-service portal.
- Live Emergency Phone Support:24/7 S1/S2 Emergency Support.

Included Support - provided as standard.
- 2 Named Admins
- Phone Support (M-F):Available Monday through Friday, 24 hours.

Choice Support Includes:
- 5 Named Admins
- Live Emergency Phone Support:24/7 S1/S2 Emergency Support
- Access to shared Customer Service Manager (CSM).

Preferred Support Includes:
- 5 Named Admins
- Phone Support 24/7/365
Shared GPS Guru: Dedicated GPS Subject Matter Expert

Elite Support Includes:
- 10 Named Admins
- Phone Support 24/7/365
- Prioritized Case Handling: Enhanced case review and resolution.
- Elite Support Performance Scorecard
- Named GPS Guru: Dedicated Global Product Support Subject Matter Expert.
- Weekly Guru Call: A scheduled time to discuss upcoming business projects and/or needs.
- Release Weekend Support: Live support during release weekend.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Once the contract has been executed, Cornerstone will assign the client a dedicated Implementation Consultant. The Implementation Consultant will be the primary point of contact during implementation. In addition, they will be supported by a project team that includes a Program Sponsor, Engagement Manager, Integration Consultant, and Training Consultant.

We deploy our solution in significantly less time than required for similar deployments of legacy software. Our SaaS model eliminates the need for complex technical requirements such as code customisation, equipment deployment, and unique delivery models.

A typical implementation takes approximately 6-8 weeks for an initial module based on scope and complexity.

With years of experience and hundreds of deliveries across various industries, we’ve learned what it takes to ensure our clients can make a successful leap to impact.

Our Cornerstone University Services team provides consulting, training, and performance support tools to enable clients to learn and use our talent management solutions successfully. We offer a blended training approach to accommodate different learning styles.

This approach is designed to meet individual learning needs, whether the trainee has five minutes or five days. The self-regulated learning approach supports heavy interaction or independent learning.

Online Administrator Training (included)
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
In the event that a client does not renew their contract, Cornerstone will return the client’s data via their secure FTP site in the same format in which the data was originally inputted into the software. Alternatively, the client’s data can be returned in a mutually agreed format at a scope and price to be agreed. Cornerstone will maintain a copy of the client data for no more than six months following termination of the agreement, after which time any client data not retrieved will be destroyed.
End-of-contract process
Our agreements are for a term lease period, and software fees are paid in annual installments over that period, during which time Cornerstone recovers costs. Accordingly, during that lease period (as with, say, a rental or car lease), there can be no termination for convenience. Effect of Termination. Immediately following termination of this Agreement, Client shall cease using all Products. Client may retrieve Client Data any time prior to termination or expiration of the Agreement. If requested, Cornerstone will assist with such data retrieval at a scope and price to be agreed.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Cornerstone Mobile allows users to view their learning transcript and to download, view, and interact with rich, standards-based courseware and knowledge content from their smartphones and tablet devices. Content conforms to SCORM 1.2, SCORM 2004, and AICC standards and is supported for maximum content interoperability and reusability.

Our offline player allows users to complete online courses on their phones and tablets while not connected to the internet. Online classes behave as though they are being used online: bookmarks are kept, progress is saved, etc. After reconnecting to the internet, the results of the training can then be uploaded to Cornerstone.
Service interface
No
API
Yes
What users can and can't do using the API
Cornerstone has available a number of out-of-the-box API’s as functionality exposed as web services. Currently, four main areas of functionality are offered through our web services.

User and Organisational Unit upload / Edit
a) A feed from your HRIS or system of record can upload and modify new users, Organisational Units and changes.

Transcript and Task retrieval
a) Ability to see the homepage widgets and user transcript

b) Home page widgets available:

Assigned Training
In Progress
Upcoming Sessions
Pending Tasks
c) Also available: View of the entire user transcript

Sections within the curricula available for viewing
d) Web service provides status and IDs for learning objects

Catalog Search
a) Ability to search the catalog by title, description, etc., to see training and sessions available to a given user

Learning Objects
a) Ability to perform general functionality for learning objects

b) Tasks available:

Request
Register
Launch Materials
Complete
The web services are a configuration. Cornerstone provides the web service URL and documentation to the client. All the necessary information is provided in the documentation. The client will use standard web service API’s on any platform or any tool that supports web services to consume ours.
API documentation
Yes
API documentation formats
  • HTML
  • PDF
  • Other
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Cornerstone provides unique flexibility in how G Cloud clients can deploy the system to different groups of users. Different branding, business rules, and functionality can be established for any Organisational Unit (such as Division, Location, Position, custom group of individuals, etc.). The end result is an unparalleled level of personalisation for the user.

Cornerstone was designed to be administered by the client and not the vendor. G Cloud Clients have complete control to configure the look and feel of the application to your specific business units with specific functionality and branding. Client administrators are presented with an extensive set of web-based controls which enable them to easily configure graphics, colors, key words, layout, and business rules.

Clients can make configuration changes on their own without any assistance from Cornerstone or for any additional costs. Not all vendors can make this claim. The high configurability of the Cornerstone system is one of the distinct advantages that we offer to our customers.

Scaling

Independence of resources
The Cornerstone application, as per the Software as a Service model, is designed to scale horizontally. It is multi-tenant-efficient, offering a load balanced farm of identical instances known as swim lanes. When additional server equipment is added, the application capacity scales to fill the available hardware.

This allows virtually unlimited growth capacity.

As opposed to a classical behind the firewall or hosted architecture, our application and our hardware platforms are designed to:

• Efficiently support a high number of users and customers

• Redistribute load easily

• Add additional capacity easily and quickly

Analytics

Service usage metrics
Yes
Metrics types
Cornerstone provides an SLA for all clients that guarantees initial response and resolution in regards to defined priority and severity levels.

Cornerstone’s SLA also guarantees 99.5% uptime (excluding reasonable and scheduled maintenance periods) per month.

MySuccess enables named client administrators to access Global Care knowledge assets, solutions, and self-service support tools online at any time. MySuccess is powered by a case management system and interface that provides the ability to submit, update, track and manage questions, issues, and other requests. Clients can download a support performance scorecard at any time.
Reporting types
Real-time dashboards

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Other
Other data at rest protection approach
Data-at-rest protection, Optional TDE Encryption at rest
Physical access control, complying with CSA CCM v3.0 and ISO27002 Standards.
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Clients can export their data at any time through our reporting engine and analytics tool. In addition, an outbound data feed can be established from Cornerstone to an internal client system such as a data warehouse.

Cornerstone does offer data warehouse replication services. A client’s entire Data Warehouse is replicated to a separate server in our data center to allow clients to make direct SQL connections over a Virtual Private Network (VPN). Clients can report against all data in the replicated data warehouse directly without having to use our Analytics module.
Data export formats
  • CSV
  • ODF
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
TLS (Version 1.2 or above), VPN, restricted access (SSO) and dedicated lines.

Availability and resilience

Guaranteed availability
Cornerstone provides an SLA for all clients that guarantees initial response and resolution in regards to defined priority and severity levels.

Cornerstone’s SLA also guarantees 99.5% uptime (excluding reasonable and scheduled maintenance periods) per month.

In the event that Cornerstone has not complied with its "Resolution" obligations set forth above, then, for each calendar day (or portion thereof) that Cornerstone has not so complied, Client shall be entitled, as its sole and exclusive remedy therefor, to a credit against Client's next invoice equal to 1/365th of the annual fees for Software set forth in the Agreement.
Approach to resilience
Cornerstone’s Disaster Recovery/Business Continuity Plan defines plans, procedures, and guidelines for the Company in the event of disaster. Specifically, this document establishes procedures for recovering business operations, internal data; systems, and critical internal functions to maintain Cornerstone as an on-going concern in the face of unexpected events.

The plan has the following primary objectives:
•Identify critical systems, services, and staff necessary to maintain and/or restore Cornerstone business operations and internal functions.

•Provide guidelines for the communication of activities and status to both Cornerstone staff and client personnel during the recovery period.

•Present an orderly course of action for restoring critical computing capability to Cornerstone and for maintaining and/or restoring client service and support.

Cornerstone performs site-to-site replication of data to protect client data in the event of a disaster. There are two dedicated disaster recovery sites distant from each of the production data centers. Disaster recovery testing is performed semi-annually at each DR site.

Further available information is available upon request.
Outage reporting
Outages occur during scheduled maintenance/releases. Otherwise, the system is not likely to experience any outages, however in the unlikely event of an unexpected outage, clients will receive email alerts.

Downtime is scheduled for planned quarterly releases at least 4 months in advance and deployed during off-peak hours, typically 8:30PM EST Fridays to 1AM EST Saturday (4.5 hours). Patch fixes typically occur every two weeks between 8:30PM EST and 12:00AM EST. The typical downtime for a patch deployment is approximately 10 minutes.

Client administrators can access a calendar of upcoming release and patch dates at any time through our client portal, Success Center. In addition, multiple email reminders are sent in advance.

Identity and authentication

User authentication needed
Yes
User authentication
  • Username or password
  • Other
Other user authentication
Users access the Cornerstone application either through a username and password, or through Single Sign-On (SSO). Cornerstone does not offer two factor authentication to clients for logging into their portal. However, clients that use SSO are able to implement two factor authentication within their own network prior to sending the SAML token to Cornerstone.
Access restrictions in management interfaces and support channels
Users need a unique username, password to access the application. Alternatively, clients can be authenticated using security tokens, utilising a symmetric algorithm, passed by the client’s local authenticator for Single Sign-On functionality.

Passwords represent a fundamental and significant security mechanism at Cornerstone. Passwords are required to access the production network (via Active Directory) and applications (SQL Server). User accounts are created that employ individual user ID and passwords to identify and authenticate a given user. Users cannot access any Cornerstone system without a valid user ID and password. The SQL server logon groups are each configured to use Windows authentication.
Access restriction testing frequency
At least every 6 months
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
DNV GL Business Assurance accredited the ISO/IEC 27001 certification
ISO/IEC 27001 accreditation date
07/05/2015
What the ISO/IEC 27001 doesn’t cover
Please note that our IT service management policies and procedures are informed by many sources, including the cohesive set of best practices covered by ITIL, as well as other standards and best practices such as SSAE 16, ISAE 3402, ISO 27001, and FISMA. These certifications cover all the main security requirements
ISO 28000:2007 certification
Yes
Who accredited the ISO 28000:2007
Cornerstone is not ISO 28000:2007 certified
ISO 28000:2007 accreditation date
N/A
What the ISO 28000:2007 doesn’t cover
Please note that Cornerstone has received certification for the following programs:

• SSAE 16, ISAE 3402 Type II Audit, SOC 2 Type II
• PCI Certification
• Privacy Shield (previous EU Model Clauses, previous Safe Harbor)
• EU GMP Annex 11 and 21 CFR Part 11
• Federal Information Security Management Act (FISMA)
• ISO 27001:2013
• Equinix SSAE16 Audit, ISO 27001, ISO 22301, ISO 9001, OHSAS 18001, ISO 14001
• Equinix Telecity ISO 27001, ISO 22301, ISO 9001, OHSAS 18001, ISO 14001
CSA STAR certification
Yes
CSA STAR accreditation date
07/05/2015
CSA STAR certification level
Level 5: CSA STAR Continuous Monitoring
What the CSA STAR doesn’t cover
Cornerstone can provide upon request a copy of the CSA questionnaire with all the Cornerstone compliant specifications.
PCI certification
Yes
Who accredited the PCI DSS certification
Trustwave accredited the PCI certification for Cornerstone
PCI DSS accreditation date
2014
What the PCI DSS doesn’t cover
Cornerstone is categorized as PCI Level 4 SAQ D under the Payment Card Industry Data Security Standards. Standards include: building and maintaining a secure network, protecting cardholder data, and maintaining an information security policy.
Other security certifications
Yes
Any other security certifications
  • SSAE 16, ISAE 3402 Type II Audit, SOC 2 Type11
  • Privacy Shield (previous EU Model Clauses, previous Safe Harbor)
  • EU GMP Annex 11 and 21 CFR Part 11
  • Federal Information Security Management Act (FISMA)
  • ISAE 3402
  • EU GMP ANNEX 11
  • WCAG 2.0 and Section 508
  • FedRAMP
  • SSAE16 Audit, ISO 27001, 22301, 9001, OHSAS 18001, 14001
  • Equinix Telecity ISO 27001, 22301, 9001, OHSAS 18001, 14001

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
Information security policies and processes
Security is of paramount importance to Cornerstone due to the sensitive nature of employee data. We designed our solution to meet rigorous industry security standards and have ISO27001:2013 including ISO27018 for privacy, plus conduct annual SSAE 16 SOC1 and SOC2 third party audits to verify continuously Cornerstone Technical and operational controls to assure clients that their sensitive data is protected across the system. We ensure high levels of security by segregating each client’s data from the data of other clients and by enforcing a consistent approach to roles and rights within the system. These restrictions limit system access to only those individuals authorised by our clients.

We employ multiple standard technologies, protocols, and processes to monitor, test, and certify the security of our infrastructure continuously.

Security responsibilities are handled by our IT operations team and overseen by our Deputy CISO, who works in concert with our Sr. Director of Technology Operations and Chief Technology Officer and is responsible for securing information in accordance with industry best practices and for implementing the recommendations of the various 3rd party audits.

Cornerstone does not publish these documents. However we can provide a secure online account, where you can access and view these documents.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
As a SaaS company, we release software frequently and regularly so that our clients may benefit from our on-going R&D. Cornerstone follows a defined SDLC (Software Development Lifecycle) that contains a number of important quality steps, an abridged version of which can be provided upon request. Development and Project Management are tasked with ensuring that these steps are followed:
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Cornerstone contracts leading third party information security consulting and services companies to run external penetration tests against our production environments to coincide with major code releases throughout the year. Vulnerability classes tested for include the following:
•Cross Site Request Forgery (CSRF)
•Cross Site Scripting (XSS)
•Command Injection (including SQL, LDAP, and OS command injection)
•Server Side Includes (SSI) Injection
•Forced Browsing
•Format String Vulnerabilities
•Response Splitting
•Directory Traversal and Data Exposure
•SSL/TLS Cipher Strength Analysis
•Cookie Analysis
•HTTP Method Analysis
•Hostile Link attacks
•Cookie Injection Attacks
•Session Fixation
•Session Management (Subversion, Timeouts/Logouts)
•Vulnerabilities Within the Username/Password Recovery Method
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Security is of paramount importance to Cornerstone due to the sensitive nature of employee data. We designed our solution to meet rigorous industry security standards and to assure clients that their sensitive data is protected across the system. We ensure high levels of security by segregating each client’s data from the data of other clients and by enforcing a consistent approach to roles and rights within the system. These restrictions limit system access to only those individuals authorised by our clients.

Cornerstone include best in class multiple standard technologies, like SPLUNK to help manage our security monitoring.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Cornerstone maintains an ISO27001 based Security Incident Response Plan in order to organise resources to respond in an effective and efficient manner to an adverse event related to the safety and security of a computer resource under Cornerstone’s management. An adverse event may be malicious code attack, unauthorised access to Cornerstone managed networks or systems, unauthorised utilisation of Cornerstone services, denial of service attack, or general misuse of systems.

The plan clearly defines the appropriate steps and processes in communication. Clients will be notified within 24 hours of the identified issue.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
No

Pricing

Price
£5.00 to £20.00 per user per year
Discount for educational organisations
No
Free trial available
No

Service documents

Return to top ↑