I haven't found an International (or National) Standard that goes into detail on protecting remote physical assets; the closest I have found is in ISO 27001 - Annex A.11: Physical & Environmental Security. According to Wikipedia, ISO 27001 itself is a much wider-ranging standard on the whole subject of "information security":
ISO/IEC 27001 specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.
However, from the first link, Annex A.11 of the standard is more specific, and comes in two parts:
Annex A.11.1 is about ensuring secure physical and environmental areas. The objective in this Annex A control is to prevent unauthorised physical access, damage and interference to the organisation’s information and information processing facilities.
Annex A.11.2 is about Equipment. The objective in this Annex A control is to prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.
A lot of the annex is to do with "on site" assets, but Annex A.11.2 does include:
A.11.2.6 Security of Equipment & Assets Off-Premises
Security controls need to be applied to off-site assets, taking into account the different risks involved with working outside the organisation’s premises. This is a common area of vulnerability and it is therefore important that the appropriate level of controls is implemented and tie into other mobile controls and policies for homeworkers etc. Considerations should be made and risk assessments carried out for assets that are taken off site, either routinely or by exception. Controls will likely include a mixture of; Technical controls such as access control policies, password management, encryption; Physical controls such as Kensington Locks might also be considered too; alongside policy and process controls such as instruction to never leave assets unattended in public view (e.g. locking in the boot of the car). It is particularly important to review security incident trends relating to off-site assets. The auditor will expect to see evidence of this risk assessment taking place and the proportionate controls selected according to the evaluated risk levels. They will also expect to see evidence of policy compliance.
Some other resources that may help:
Physical security on Wikipedia includes in it's overview three "layers":
- deter potential intruders (e.g. warning signs and perimeter markings);
- detect intrusions and monitor/record intruders (e.g. intruder alarms and CCTV systems); and
- trigger appropriate incident responses (e.g. by security guards and police).
The UK's Centre for the Protection of National Infrastructure has pages on Physical Security and Protecting my Asset that both cover the multi-layered approach, including from the second link:
- Deter: stop or displace the attack
- Detect: verify an attack, initiate the response
- Delay: prevent the attack from reaching the asset (including measures to minimise the consequences of an attack)
- Mitigate: minimise the consequences of an attack against your site
- Response: actions to prevent the goal of the attack being completed
The US Government's Physical Security Systems Assessment Guide (PDF), while appearing to be mainly aimed at larger (and often manned) facilities, covers similar ground and many aspects will apply to the protection of remote equipment.
