There should not be anything abstract in a specific Regulation on RSD in a particular organization. It should be maximally tied to the features of the network (whether there is a domain, what means of protection and assignment of rights are used, application forms for obtaining access, actions of the administrator and IS administrator when executing such applications, etc.). Look for ready-made documents on the request "regulation on the permissive system of access to information" and build on them. Are they more or less typical, maybe there is even something typical from the FSTEC / FSB (although it is most likely "chipboard"). Look at the links in the 27cm post , Emelyannikov is generally useful.
Usually, it is precisely access to information that is implied, for access control there are separate instructions and regulations.
The requirements for the protection system are taken from STR-K, FSTEC orders 17, 21, 31, etc. (there's a lot).

Good day! Wrote a similar term paper recently. I did not approach my supervisor with questions, because he did not have time for me. Having studied this topic with the help of "about the great Internet", I sketched a coursework on 20 sheets (almost the recommended amount in our university). In it, I described the licensing system in com. secret, in the state. secret. and, accordingly, was guided by the laws on GT and CT, in short, if you have a term paper on "Organizational Information Protection", then you plunge headlong into the laws and create work on them, well, at least I did).
If you don’t find fault with the originality of the text, you can get information from here:
bezopasnik.org/article/17.htm