The idea is that you define an ACL for the columns "write" operation. You can write a tiny script into the ACL that it would evaluate before granting permission to write in that field (column).

See Create an ACL rule for the specifics of how to do this. In the script field, if you want to use a group membership check, you'll use the GlideUser API to do that. Please note that it's a best practice to not use scripts in ACLs unless it's truly necessary (e.g. don't use a script to check if the user has a role, because there's the Roles related list for that) - it prolongs execution time. If you do end up wanting to use a group membership check, you definitely need to use a script, but just keep in mind it's not always the best option.

If you want to specifically use groups there is a script field on the ACL, so you could do something like:

answer = gs.isMemberOf('groupname');

That being said, the security paradigm in ServiceNow is really based around roles, so the standard thing to do would be to create a role that can write to the columns, then add that to the groups, then add the role to the ACLs for those columns through the roles list on the ACL. This requires no scripting.