Vendor Information

All new and existing vendors must complete a Vendor Information Sheet prior to receiving payments from Niagara-on-the-Lake Hydro.

This is used to confirm your company information, verify tax identity and to create an electric funds transfer means for payment.

Fillable Vendor FormDownload

Child and Force Labour

Child and forced labor are pervasive problems throughout the world. Niagara-on-the-Lake Hydro will not tolerate the use of child or forced labor in any of its operations and facilities. We expect the suppliers and contractors with whom we do business to uphold the same standards.

Vendor/Supplier Acknowledgement

The “Supplier” covenants, acknowledges and agrees as follows:

  1. The Supplier certifies that it complies with all applicable laws and regulations in the jurisdictions where it operates and where its goods are produced, including laws relating to the prohibition of forced and child labor. 
  2. The Supplier certifies that it has not used, does not use, and will not use forced or compulsory labor in any of its operations.  Forced labor includes, but is not limited to, any work or service that a person is forced to do against their will under the threat of any penalty or coercion.
  3. The Supplier certifies that it has not employed, does not employ, and will not employ children in the production of goods. For the purposes of this covenant, a child is defined as any person under the age of 15 years or the minimum age for employment permitted by the law of the country where the work is performed, whichever is higher.
  4. The Supplier commits to ensuring that its own suppliers and subcontractors adhere to the same standards regarding forced and child labor. The Supplier shall
    • Conduct due diligence on its supply chain to ensure compliance with this Covenant.
    • Require that all of its suppliers and subcontractors provide written confirmation that they do not use forced or child labor.
    • Monitor and audit its supply chain regularly to ensure ongoing compliance.
    • Take immediate corrective action if any violations of this Covenant are discovered within its supply chain.
  5. The Supplier agrees to maintain accurate and complete records of its labor practices and those of its supply chain. The Supplier shall make these records available for inspection by the Client or an independent auditor appointed by the Client  upon reasonable notice.
  6. The Supplier shall establish mechanisms for reporting any violations of the covenants herein, including:
    • A reporting system for employees and other stakeholders to report any concerns about forced or child labor without fear of retaliation.
    • A commitment to investigate and address any reported concerns promptly and effectively.
    • A remediation plan to address any confirmed instances of forced or child labor, which includes providing support to affected individuals and taking steps to prevent recurrence.

Cyber Security Documentation for External Service Providers

Responsibilities and Expectations

INTRODUCTION

External service providers play a crucial role in the cybersecurity framework of Niagara-on-the-Lake Hydro. This document outlines the minimal level of cyber protection an external service providers should maintain, to ensure clarity and alignment with Niagara-on-the-Lake Hydro’s cyber security policies and objectives.

SCOPE

This documentation applies to all external service providers engaged by the organization, including but not limited to managed security service providers (MSPs), cloud service providers, third-party vendors, and consultants. The responsibilities are categorized into various domains of cybersecurity, each of which is vital for maintaining a secure environment.

GENERAL EXPECTATIONS

Compliance with Security Policies

All external service providers must comply with the organization’s security policies, standards, and procedures. They must also adhere to relevant industry standards and legal regulations. This is applicable to all vendors with access to NOTL Hydro data and networks. Vendors with no access are not required to follow these policies but are encouraged to.

Confidentiality and Data Protection

Service providers are required to ensure the confidentiality, integrity, and availability of organizational data. They must implement robust data protection measures and act in accordance with data privacy laws and regulations.

Access Control

External service providers must manage access to systems and data in a secure manner. This includes enforcing strong authentication mechanisms and regularly reviewing access permissions.

Incident Response and Reporting

Service providers must have a defined incident response plan and promptly report any security incidents to the organization’s designated contact. They should assist in the investigation and remediation of incidents as required.

Specific Expectations

Network Security

  • Implement and maintain firewalls, intrusion detection/prevention systems (IDS/IPS), and other network security controls.
  • Monitor network traffic for suspicious activities and respond to potential threats.
  • Ensure secure configuration and regular updates of network devices.

Endpoint Security

  • Deploy and manage antivirus, anti-malware, and endpoint detection and response (EDR) solutions.
  • Perform regular patch management and vulnerability assessments on endpoint devices.
  • Enforce security policies related to the use of endpoint devices.

Application Security

  • Conduct security assessments and where applicable, code reviews of applications.
  • Implement secure development practices and provide secure coding training to developers.
  • Ensure that applications are regularly updated and patched to address security vulnerabilities.

Cloud Security

  • Ensure the secure configuration and management of cloud environments.
  • Implement access controls and data encryption in the cloud.
  • Conduct regular security assessments of cloud services and infrastructure.

Database Security

  • Implement database access controls.
  • Regularly monitor and audit database activities for suspicious behavior.
  • Ensure that databases are securely configured and regularly updated.

Physical Security

  • Secure physical access to facilities and data centers.
  • Implement surveillance and monitoring systems to detect unauthorized access.
  • Ensure that secure disposal processes are in place for sensitive data and equipment.

SERVICE LEVEL AGREEMENTS (SLAs)

All responsibilities and expectations outlined in this document should be formalized in service level agreements (SLAs). The SLAs must include:

  • Specific security requirements and controls.
  • Performance metrics and reporting obligations.
  • Penalties for non-compliance with security requirements.

REVIEW AND AUDIT

The organization reserves the right to review and audit the security practices of external service providers. Regular audits will be conducted to ensure compliance with the agreed-upon security controls and SLAs.

TRAINING AND AWARENESS

External service providers are expected to maintain a high level of security awareness among their staff. They should provide regular training on cybersecurity best practices and emerging threats.

COMMUNICATION AND COLLABORATION

Effective communication and collaboration between the organization and external service providers are essential for a robust cybersecurity posture. Regular meetings and updates should be scheduled to discuss security issues, review performance, and plan for improvements.

CONCLUSION

By clearly defining and assigning cybersecurity responsibilities to external service providers, the organization aims to ensure a cohesive and effective security strategy. Adhering to these responsibilities will help protect the organization’s assets, data, and reputation from cyber threats.