Professional Scrum Master II (PSM II) — Question 88

During a Product Backlog refinement meeting, the Product Owner introduces a business objective that will be worked on for the next several Sprints. The Product
Owner envisions several key features necessary to be delivered in order to meet the business objective. As the features will be using sensitive user data it will be subjected to external security audits. These non-functional security requirements were not applicable to previous Increments.
What are two good ways the Development Team can handle these high-security concerns? (Choose two.)

Answer options

• A. They should be planned in parallel Sprints so not to disrupt the Development Team during feature development. After security concerns have been finalized, they will be applied to the work that is already completed before new feature development can continue.
• B. They should be handled in a parallel Sprint by a separate security team so that security can be resolved through application enhancements without impacting the functional development.
• C. A complete list of security-related Product Backlog items needs to be created before starting a new Sprint.
• D. During the Sprint Retrospective, the Development Team assesses how to add these expectations to their Definition of Done so every future Increment will meet these security requirements. If needed they can work with external specialists to better understand the requirements.
• E. They are added to the Product Backlog and addressed throughout the next Sprints, combined with creating the business functionality in those Sprints, no matter how small the business functionality.

Correct answer: D, E

Explanation

Option D is correct because it emphasizes the importance of updating the Definition of Done to include security requirements, ensuring that all future Increments meet security standards. Option E is also a valid approach as it integrates security work with the development of new features, allowing for continuous attention to security. Options A and B segment security work from functional development, which may lead to delays or incomplete integration of security features. Option C suggests creating a complete list upfront, which is impractical in an Agile environment where requirements evolve.