1 Send people to inspect the physical premises where the software will be written. Note whether buildings have basic security check-in procedures and the like. Find out what kind of access people have to key systems.2 Look closely at the way networks function, particularly if you plan to use virtual private networks. These are good for cross-facility communications, but make it easier for remote employees to work from home or on notebook computers, which can increase vulnerability. 3 Protect important information, like source code, with passwords and access codes, and make sure that those are not widely available, either in the United States or at the outsourcing location. 4 Demand that the outsourcer has tight human resources screening. Look for employee retention figures, find out if competitors do business with the same outsourcer, and if so, ensure that there is no contact between teams. 5 Know what risks your own organization can take. Regulated industries such as health care and financial services need to keep closer controls over data and software development than, say, packaged goods companies. 6 Work to understand the legal system and culture of both countries. Negotiate contracts that make the offshore company responsible for the actions of its employees.7 Budget for greatly increased telecom costs, as well as for regular visits to the outsourcer.8 Make sure that any test data being used does not expose real information traceable to real customers.9 Always maintain an original copy of source code. This step seems obvious, but in one Y2K outsourcing case, a company was unable to prove that a bug had been added to a program because it had not kept its source code. -M.F.