The correct answers are B and C because security is part of product quality and should be addressed within the Scrum Team’s ongoing work, not delegated away or deferred to a later phase. Option B is correct because security concerns can and should be made visible in the Product Backlog when there is specific work needed to address them. This ensures transparency and allows the team to inspect, prioritize, and act on those concerns as part of product development.

Option C is also correct because if security is necessary for an Increment to be complete and releasable, it belongs in the Definition of Done. This ensures that security expectations are consistently applied every Sprint rather than treated as optional or postponed.

Option A is incorrect because Scrum does not rely on handing responsibility to a separate department. Option D is incorrect because delaying security work undermines transparency and increases risk. Option E is incorrect because security should not be isolated into one future Sprint as a separate cleanup effort. Scrum promotes integrating quality, including security, continuously into development so each Increment is usable and meets appropriate standards.