Calling for caution in outsourcing to low-cost countries, IT analyst firm Gartner has said companies must identify and manage the security risks before signing any offshoring agreement.

The key to successful and secure outsourcing agreements is understanding the security and privacy risks for a business process, application or technology function early in the outsourcing decision process, said senior analysts at Gartner Inc.

''An enterprise's security staff should be at the table from the start of the process and throughout the life cycle of the outsourcing deal. The security staff should be included in the operations management functions, working with the vendor's delivery management staff, as well as the strategic planning function where standards, architecture and integration decisions are made,'' Gartner said.

The analysts recommend that large enterprises audit prospective enterprise service providers (ESPs) to ensure that the policy and controls around the outsourced functions or systems meet the enterprise's security standards.

Enterprises that can't take on the task of conducting a security audit should require ESPs to provide evidence of an audit by an independent third party, they said.

When audits are not available, enterprises should use scanning tools or services to ensure that the ESP does not have vulnerabilities in the applications and network gateways facing the Internet, Gartner said.

''Even when audits are available, periodic scanning of the ESP is necessary to ensure baseline profile is maintained.

''Outsourcing decisions require careful analysis of what requirements must be extended beyond the enterprise, and planning to verify and monitor the ESP's ability to meet them,'' said the analysts.

Offshore outsourcing requires even greater care in several areas, such as the degree of governmental access to, or control over, the service provider, as well as over the customer's data, Gartner added.