Data policies are an effective means of controlling a few fields, and making a field mandatory in a data policy is probably the best way to ensure that a field has a value on the server before a record can be inserted or updated. Making a field read-only in a data policy is probably also the best way to prevent the value from changing on the server. When it comes to ensuring that a field (or a table) is fully inaccessible to users without a certain role or set of permissions however, ACLs are the way to go.
ACLs (short for Access Control Lists and otherwise known as Security Rules) are another means by which you can control access to elements within ServiceNow. They can serve much the same function as data policies, and a great deal more. One major difference between data policies and ACLs, is that ACLs are scriptable. This allows for a great degree of flexibility of functionality.
You can access the list of ACLs on a given table in the same way you'd access many...