Consultant’s Corner

December 29, 2022

Welcome to Consultant’s Corner.  We have archived our training videos to assist you with your grant process.

Consultant’s Corner 2022-2023

12-20-2022

EHP Preparation

12-6-2022

How To Apply For The NYS Hate Crimes Grant (SCAHC)

11-22-2022

I Got A Government Security Grant – Now What?

View all our 2022-2023 training videos here in sequence:

Consultant’s Corner 2021-2022

3-29-2022

Developing a Training Program

3-22-2022

Year-to-Date Topics Summary

3-15-2022

Special Presentation: Your Security and Grant Questions Answered Live

3-8-2022

Reducing Door, Frame & Hardware Vulnerabilities

3-1-2022

Access Control 2; Mindset Plus Technology

2-22-2022

Access Control

2-15-2022

Protecting Windows

2-8-2022

Procurement Process

2-1-2022

Door Hardware and Door Hardening

1-25-2022

RFP Package Continued: Basics of Product Research

1-18-2022

RFP Package Part 2 and Lessons from Colleyville

1-11-2022

RFP and Bid Management

1-4-2022

Grant Management Part II

12-14-2021

Securing Communities Against Hate Crimes Grant (SCAHC)

12-7-2021

Environmental and Historic Preservation Form (EHP)

11-30-2021

Appointing A Project Manager

11-23-2021

What Do We Need, and How Do We Get Bids?

11-16-2021

I Received A Security Grant, Now What?

View all our 2021-2022 training videos here in sequence:

Read the November 2022 issue of the CSI Monthly newsletter

November 29, 2022

The purpose of this CSI monthly newsletter is to inform community institutional leadership, in a non-technical way, of the nature of the risks they face in cyberspace. Our goal is to keep you up to date on the latest threats and to guide you to best practices. As subject matter experts, we can decipher the jargon and inform you how to best spend your funds to protect your organization.

Download the November 2022 issue of the CSI Monthly newsletter (PDF)

Read the September 2022 issue of the CSI Monthly newsletter

September 30, 2022

CSI MonthlyThe purpose of this CSI monthly newsletter is to inform community institutional leadership, in a non-technical way, of the nature of the risks they face in cyberspace. Our goal is to keep you up to date on the latest threats and to guide you to best practices. As subject matter experts, we can decipher the jargon and inform you how to best spend your funds to protect your organization.

Download the September 2022 issue of the CSI Monthly newsletter (PDF)

Nonprofit security grant updates

April 07, 2022

Application information for the Nonprofit Security Grant Program (NSGP) will be released by the U.S. Department of Homeland Security on or about May 13, 2022. NY DHSES will publish its Request for Applications shortly thereafter. Anticipate an New York application window of two weeks or less. Take steps immediately to address the issues below. 

What can you do immediately?

  1. Review the latest information. If you didn’t see FEMA’s technical assistance presentation last week, click here to see the slides, including allowable projects, recommendations and other basic information. Note: this year’s Investment Justification will be in the easier-to-use PDF format. Another change, new applicants will be eligible for a 15 point bonus.
  2. Get a UEI. Previous grantees all know about DUNS numbers, but DUNS numbers will not be accepted. Obtain a Unique Entity Identifier (UEI). This process is challenging so do not leave it until the last minute. Click here to download the Quick Start Guide for Getting a Unique Entity Identifier
  3. Update your Document Vault. All New York applicants must be prequalified in order to submit an application. 
    • Certain financial documents must be updated annually. If you are already prequalified, ensure that all financial documentation in your document vault is current and will not be expiring in the near future. Organizations with expired documentation will not be considered for funding. 
    • Organizations that used the “Streamlined” prequalification process for the Hate Crimes (SCAHC) grants last year must  prequalify using the traditional process. 

For more information on prequalification, and maintaining prequalification, please visit: https://grantsmanagement.ny.gov/get-prequalified.

    1. Assessments. An up-to-date vulnerability assessment must be attached to each application. CSI will continue to deliver assessments to organizations on a three-year cycle (once every three years). The vulnerability assessment submitted must be current and accurately reflect the site’s security vulnerabilities at the time your application is submitted
        • Click here to request a physical or cybersecurity assessment, training or purchasing support. Note, the CSI team is delivering scores of physical assessments and CSI has brought in additional experts. However, at this time we cannot guarantee the delivery of physical assessments before the grant applications are due. 
        • Organizations can update their recent assessments. Click here for instructions. CSI will supply our current threat overview. Request one here
        • The vulnerability assessment must contain the site’s physical address, which must match the physical address provided in the Investment Justification (IJ) and in the Work Plan of your E-Grants application. 
        • Each and every project being requested in the IJ must be clearly linked to a security vulnerability identified in the vulnerability assessment.  Requested projects that are not reflected as vulnerabilities in the assessment will not be funded.
      1. E-Grants. You must be a registered user of the DHSES E-Grants System.  All applications must be submitted to DHSES using this system.  If you need information about this system or need to register for access, please see the NY DHSES website for instructions: https://www.dhses.ny.gov/e-grants
      2. Charities Bureau.
        You must be registered, have recently applied for registration, or be exempt from registering with the NYS Attorney General’s Office Charities Bureau: https://www.charitiesnys.com/charities_new.html.

Active threat training

February 03, 2022

How should organizations prepare for a an active threat attack. Over 1,000 people registered for the CSI training on February 2, 2022 to learn what they can do if an attack occurs and how they should plan, prepare and train . Click the video below to watch a recording of the session.

CSI Cyber: New ransomware resources

June 01, 2021

PNT Integrity Library published to help protect critical infrastructure -  GPS World

Today, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) releases an cybersecurity advisory, “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks.” CISA and FBI are urging critical infrastructure asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in this advisory.

Recently, DarkSide actors deployed DarkSide ransomware against a U.S. pipeline company’s information technology (IT) network. In response to the cyberattack, the company proactively disconnected certain operational technology (OT) systems to ensure the safety of the system. At this time, there are no indications that the threat actor moved laterally to OT systems.

This joint advisory provides technical details on DarkSide actors and some of their known tactics and preferred targets. According to open-source reporting, DarkSide actors have been targeting multiple large, high-revenue organizations. Also, the actors have previously been observed gaining initial access through phishing, exploiting remotely accessible accounts and systems and virtual desktop infrastructure.

CISA and FBI strongly recommend that critical system owners and operators prioritize reading this advisory and follow recommended mitigation and guidance to help protect against this malicious activity. In addition to the cybersecurity advisory, CISA and FBI urge critical infrastructure asset owners and operators to review the following resources for best practices on strengthening cybersecurity posture:

Victims of ransomware should report it immediately to CISA, a local FBI Field Office, or a Secret Service Field Office.

2020-21 NYS DHSES Virtual Workshops for grantees and applicants

February 04, 2021

Please see the offerings from NYS DHSES below. Note that most of the sessions are for current grantees.

  • There will be a session on the nonprofit programs on Thursday, February 11th@ 1PM. Click here to register. Here is more information.
  • The Community Security Initiative and NYS DHSES will present at Rep. Grace Meng’s Nonprofit Security Program Grant Workshop on Wednesday, February 10, 2020 from 6PM to 7:30PM. To RSVP and receive the Zoom link email: MENG.RSVP@MAIL.HOUSE.GOV.
  • Organizations planning to submit a NSGP application must include an assessment. Click here to apply for a professional assessment from the Community Security Initiative at no charge to your organization.

Here is more information from NYS DHSES:

The New York State Division of Homeland Security and Emergency Services (DSHES) Grants Regional Workshops are an annual event which have historically been held at multiple locations statewide every fall. Being unable to hold these events in person for 2020, we have announced the 2020 DHSES Grants Virtual Workshops and the 2020 DHSES Grants Virtual Workshops – Nonprofit Series, which will be delivered via WebEx on multiple key dates between December 2020 and March 2021. The purpose of the Workshops is to provide critical updates on homeland security grant funding, provide technical assistance on meeting the various grant requirements and to obtain feedback as well as answer your questions on these key issues.

We have set up this page to be able to share important information and documents regarding the Virtual Workshops, including presentation recordings and slides, which will be posted following the delivery of each presentation. Please note that the Virtual Workshops are for informational purposes and may not address your questions directly, however you can always reach out to your Contract Representative for further clarification.

Grants Program Administration: Who We Are / What We Do – Delivered Friday, December 11, 2020
Target Audience: Government sector subrecipients, Nonprofit organizations

Tutorial on Minority and Women Owned Business Enterprises (MWBE) Requirements – Delivered Tuesday, January 12, 2021
Target Audience: Government sector subrecipients

Navigating E-Grants and Quarterly Reporting – Delivered Thursday, January 28, 2021
Target Audience: Government sector subrecipients, Nonprofit organizations

Any questions or comments about the content herein or the Virtual Workshops can be directed to the Grants Info box: Grant.Info@dhses.ny.gov

Cybersecurity: Protecting your people and your systems

December 18, 2020
Click on the graphic to download the presentation

As cybersecurity concerns heightened, both worldwide and in the Jewish community, the Community Security Initiative and CISA offered a cybersecurity webinar on December 17, 2020. R. S. Richard Jr., CISM, CCISO, Cybersecurity Advisor, Region II of the Cybersecurity and Infrastructure Security Agency (CISA) offered explained about important cybersecurity measures that organizations should consider adopting and the resources that CISA makes available. View the video here and the presentation here.

CISA recently released its Cyber Essentials Toolkit, a set of modules designed to break down the CISA Cyber Essentials into bite-sized actions for technical staff and organizational leadership to work toward full implementation of each Cyber Essential. Each chapter focuses on recommended actions to build cyber readiness into the six interrelated aspects of an organizational culture of cyber readiness. We urge you to download and review these valuable tools.

Chapter 1: Yourself, The Leader – Drive Cybersecurity Strategy, Investment, and Culture

This chapter focuses on providing leaders with an understanding of what it takes from the top to drive a culture of cyber readiness within their organizations. Topic areas include, leading investment in basic cybersecurity; determining how much of the business’ critical operations are dependent on IT; how to approach cyber as a business risk; leading the development of cybersecurity policies; and building networks of trusted sector partners and government agencies for information sharing.

Chapter 2: Your Staff – Develop Security Awareness and Vigilance

This chapter focuses on an organizational approach to cybersecurity by educating employees and providing training resources that encourage cyber awareness and vigilance. Topic areas include: leveraging basic cybersecurity training; developing a culture of awareness; learning about phishing and other risks; identifying available training resources; and maintaining awareness of current cyber events.

Chapter 3: Your Systems – Protect Critical Assets and Applications

This chapter focuses on an organizational approach to cybersecurity by securing network assets and information. Topic areas include: learning what is on your network; leveraging automatic updates; implementing secure configurations; removing unauthorized hardware and software; leveraging email and browser security setting; and creating approved software polices.

Chapter 4: Your Surroundings – The Digital Workplace

This chapter focuses on an organizational approach to cybersecurity by ensuring only those who belong on your digital workplace have access. Topic areas include: learning who is on your network; leveraging multi-factor authentication; granting appropriate access and admin permissions; leveraging unique passwords; and developing IT polices to address user statuses.

Chapter 5: Your Data – Make Backups and Avoid the Loss of Information Critical to Operations

This chapter focuses on providing leaders with an understanding of what it takes to ensure their organization’s data is secure and recoverable. Topic areas include: learning what information resides on the organization’s network; learning what is happing on the network; domain name system protection; learning how the organization’s data is protected; leveraging malware protection capabilities; establishing regular automated backups and redundancies of key systems; and leveraging protections for backups.

Chapter 6: Your Crisis Response – Limit Damage and Quicken Restoration of Normal Operations

This chapter focuses on responding to and recovering from a cyber attack. Topic areas include: developing an incident response plan and disaster recovery plan; using business impact assessments to prioritize resources and identify systems to be recovered; knowing who to call for help in the event of a cyber incident; developing an internal reporting structure to communicate to stakeholder.

New CISA resource for Screening: The Power of Hello

December 02, 2020

When is a “hello” not merely a “hello”?

Remember: only “approved” individuals should be able to enter your facility. The right greeting can be a critical component of your security protocols, and help you to balance the need to be warm and welcoming, while making sure that everyone who comes through our doors is safe and secure. Security goes beyond just having solid doors. In the real world someone has the responsibility to observe, evaluate suspicious behaviors — and ultimately — decide who to admit?

Technology offers many solutions (ID cards, fobs, facial recognition, biometrics and more) to verify those who we know, but what about those we don’t?  It all comes down to screening. A screener can be an employee or a volunteer. What’s important is that they know your people.

Who shows up at our doors?

Three types of people show up at our doors

  1. The vast majority of the people who attend religious services are regulars. It is best practice to have someone at the door who knows most of the attendees and will welcome them upon arrival. They fill the largest bucket.
  2. A warm, simple greeting (Welcome, is this your first time here? Are you looking for someone in particular?) will usually elicit a response (e.g., I’m here for the Cohen bar mitzvah). Take the time to ask the Cohen’s for their guest list. Your screener can readily check that the visitor is on the list. These visitors fit into the smaller, second bucket.
  3. That leaves the Unknowns. What steps should be taken when an unknown is at the door. How can the screener decide whether an Unknown is a threat or a potential member of your congregation or facility?

DHS CISA‘s new guide

Simply saying “Hello” can prompt a casual conversation with a new person, providing an opportunity to observe and establish a connection. CISA calls it the “OHNO approach–Observe, Initiate a Hello, Navigate the Risk, and Obtain Help” developed to enable screeners to observe and evaluate suspicious behaviors, and to empower them to lower the risk and obtain help when necessary.

This guide promotes employee vigilance for our houses of worship stakeholders. Alert personnel can spot suspicious activity and report it. Keeping houses of worship facilities secure while sustaining the open and welcoming environment necessary for peaceful congregation requires a holistic approach to security.

Download these materials and think about how this guidance can make your facility safe and secure, without undermining your wish to be warm and welcoming. As always, institutions in New York City, Long Island and Westchester can reach out to their Community Security Initiative (CSI) regional security manager for assistance. Click here to send an email. Check out the new CSI video here.

Download links

Power of Hello Slicksheet (272.54 KB)
Power Hello Placemat (313.91 KB)
The Power of Hello Houses of Worship guide (2.1 MB)