In the absence of further information, written information security policies are by default generally considered information that is “for internal use only” or “restricted.”

Interesting read ...