In this study, the researcher presented the Integrated Access Control Model (the Model, hereafter) for deriving and specifying access control policies and investigated the usefulness of the Model. The Model in this research integrates access control policy specification into the data protection mechanism, making a significant step towards ensuring that policies are enforced in a manner consistent with a system's security requirements specifications. The researcher then utilized a simulation method to evaluate the Model's usefulness and effectiveness. Data leakage in corporations has been a scary proposition and a serious headache to both the CEOs(Chief Executive Officers) and the CSOs(Chief Security Officers). Security professionals or practitioners have always had to deal with data leakage issues that arise from e-mail, instant messaging(IM), and other Internet communication channels. In addition, with the proliferation of wireless and mobile technology, it's now much easier than ever for loss by data breaches to occur, whether accidentally or maliciously. While there are plenty of security tools on the market for keeping mobile and/or stationary data from leaving the enterprise surreptitiously, the best ones seem to use a combination of prevention and detection methods, such as a detection engine and a data blocker. However, it would be crucial to first understand what data types are being protected and the level of risk. In this study, the researcher explained the theoretical aspects of privacy, together with legal consideration on the protection of personal data. A company's sensitive data, including personal data, is widely distributed throughout its network. Important or sensitive data resides not just in the organization's databases, but also in e-mail messages, on individual PCs and as data objects in web portals. Sensitive information also comes in many forms, including credit card details and Resident Registration Numbers, equivalent to Social Security Numbers in the U.S. As corporations enable their businesses on the web and link up with networks belonging to partners, suppliers and customers, it is vital to keep track of what's flowing over those networks. With so many network egress points for data, it is of much significance to be able to constantly monitor network traffic and inspect e-mail, IM and peer-to-peer file-sharing systems, as well as web postings and FTP sites, for data that may be exiting a network in violation of company policies. The data protection system in a company should be designed to keep an eye on what users and administrators are doing with their access privileges and either prevent certain actions--such as modifying, copying, deleting or downloading large sets of data or files--or send out alerts when someone attempts one of those actions. Encrypting sensitive data in databases is another measure companies should consider. Access control is a mechanism for achieving confidentiality and integrity and access control policies express rules concerning who can access what information, and under what conditions. Companies should not give employees far more access than they really need. It is critical to create access control policies that limit users' network privileges strictly to what is required for their jobs, and set controls for enforcing those policies. The researcher explained how to configure the Integrated Access Control Model and examined the usefulness of the Model, utilizing a simulation method to effectively evaluate the Model's usefulness by comparison with statistics on data leaks. This study shows that limiting user privileges upon the principle of "least privilege," monitoring user access to mission-critical data, and detecting unauthorized access to high-risk data are key steps to take. It also is quite important to be able to provide clear audit trails that track when people try to act outside of corporate security policy.