Security features are typically considered non-functional requirements (NFRs), which should be captured in the product backlog and prioritized accordingly. As per the PMI Agile Practice Guide (Section 5.1: Product Backlog) and Mike Griffiths’ PMI-ACP Exam Prep Book (Chapter 6: Value-Driven Delivery), any requested functionality—whether business- or system-level—must be clearly defined as a backlog item so the team can plan for it.
Option A is correct: security requirements should be added to the backlog and prioritized like other features.
Option B may come later if implementation is unclear, but first, the work must be defined and logged.
Option C and D represent clarification steps but don’t directly support implementation as backlog management does.
