An organization, which handles large volumes of PII, allows mobile devices that can process, store, and transmit PII and other sensitive data to be issued to employees. Security assessors can demonstrate recovery and decryption of remnant sensitive data from device storage after MDM issues a successful wipe command.
Assuming availability of the controls, which of the following would BEST protect against the loss of sensitive data in the future?

A security engineer is working with a software development team. The engineer is tasked with ensuring all
security requirements are adhered to by the developers.
Which of the following BEST describes the contents of the supporting document the engineer is creating?

When of the following is the BEST reason to implement a separation of duties policy?

A new database application was added to a company's hosted VM environment. Firewall ACLs were modified to allow database users to access the server remotely. The company's cloud security broker then identified abnormal from a database user on-site. Upon further investigation, the security team noticed the user ran code on a VM that provided access to the hypervisor directly and access to other sensitive data.
Which of the following should the security do to help mitigate future attacks within the VM environment?
(Choose two.)

A project manager is working with a software development group to collect and evaluate user stories related to the organization's internally designed CRM tool. After defining requirements, the project manager would like to validate the developer's interpretation and understanding of the user's request.
Which of the following would BEST support this objective?