You are the head of the research and development (R&D) department of a pharmaceutical company and the Product Owner of the Scrum team developing an application that handles the most sensitive data for your department. You are concerned with the protection of the application data stored in the database. As a product owner, how do you address the concern of data confidentiality in the database?
A. Assign any development team member to develop a proprietary cryptographic module to encrypt the data in the database.
B. Assign the most senior development team member to develop the application code utilizing a standard cipher that is openly reviewed and certified.
C. Outsource the task to a professional cryptographic vendor and require them to use a standard cipher that is openly reviewed and certified.
D. Add the encryption requirement of a standard cipher that must be openly reviewed and certified, into the product backlog and let the development team decide the implementation details.
PS. Scrum is quite popular these days. It’s good for security professionals to fulfill the security by design principle in the context of the agile setting, while Scrum is one of the mainstream frameworks.