Data Policies versus ACLs
Data Policies are an effective means of controlling a few fields, and is probably the best way to ensure that a field has a value on the server before a record can be inserted or updated. When it comes to ensuring that a field (or a table) is fully inaccessible to users without a certain role however, ACLs are the way to go.
ACLs, short for Access Control Lists and otherwise known as Security Rules, are another means by which you can control access to elements within ServiceNow. They can serve much the same function as Data Policies, and a great deal more. One major difference between Data Policies and ACLs, is that ACLs are scriptable. This allows for a great degree of flexibility of functionality. ACLs
You can access the list of ACLs on a given table in the same way you'd access many other customization's: either by right-clicking the form header, or through the hamburger menu at the top-left of the list view, and then clicking on Customize, and then Security Rules...