9. All critical systems, and systems and locations where Level 4 or 5 information is stored, must be accurately identified and physically secure.