Project Background

You’re the program manager for Identity & Access Management (IAM) at ShopSphere, a global e-commerce marketplace with 38M monthly active buyers and ~120K seller accounts. ShopSphere is entering its highest-traffic period (Black Friday through New Year), where the platform processes $1.6B/week GMV at peak. A recent internal red-team exercise demonstrated that a compromised IT operations account could be used to pivot into production, access customer PII, and modify order routing rules.

Following the exercise, the CISO issued a directive: enforce phishing-resistant multi-factor authentication (MFA) for all privileged access (production SSH, Kubernetes admin, cloud console, CI/CD admin, and break-glass accounts). The policy must be enforced before the annual SOC 2 Type II audit window begins in 10 weeks. Failure to show enforcement and evidence would put renewal deals with enterprise sellers at risk (estimated $22M ARR tied to security questionnaires).

The challenge: the IT Operations organization (responsible for 24/7 incident response, deployments, and on-call) strongly opposes the policy as written. They argue it will increase mean time to recovery (MTTR), create lockout risk during incidents, and slow down routine maintenance. You must deliver a plan that meets security and audit requirements without causing outages during peak season.

Stakeholder Landscape

• CISO and Security Engineering want phishing-resistant MFA (FIDO2/WebAuthn hardware keys) and removal of legacy factors (SMS/OTP) for privileged actions. They are willing to block access if teams don’t comply.
• IT Operations (Director + SRE managers) prioritize uptime and incident response speed. They want exceptions for on-call engineers, shared admin accounts, and automation systems. They have political capital because they “carry the pager” and are blamed for downtime.
• Platform Engineering owns the internal access gateway (bastion, SSO, and PAM tooling). They are mid-migration from a legacy VPN-based model to a zero-trust gateway, and they have limited bandwidth.
• Product & Revenue leadership care about uninterrupted peak season operations and fear any change that could cause a widespread lockout.
• Compliance (GRC) needs evidence: policy, enforcement logs, exception process, and access review artifacts that auditors will test.

The tension is explicit: Security wants strict enforcement; Ops wants reliability and speed; Compliance wants provable controls; Product leadership wants “no surprises” during peak.

Constraints

Your Task (Deliverables)

Produce a complete execution approach that addresses the policy enforcement and the organizational resistance. Specifically:

1. Policy-to-implementation plan: Translate the CISO directive into an implementable control set (what is enforced where, what “privileged” means, and what is out of scope).
2. Rollout and change management plan: A week-by-week plan that includes pilot, staged enforcement, communications, training, and support.
3. Exception and break-glass design: Define a narrowly-scoped exception process that Ops can live with, including time-bound approvals, logging, and periodic review.
4. Risk assessment + rollback plan: Identify failure modes (lockouts, degraded incident response, automation failures), how you’ll detect them, and how you’ll roll back safely.
5. Success criteria and audit evidence: Define measurable success metrics and the artifacts/logs you’ll produce for SOC 2 auditors.

Complications

1. Two weeks into the project, a P0 incident occurs during a regional outage. Ops leadership claims MFA prompts slowed response and demands a blanket exemption for on-call.
2. A critical automation pipeline (Terraform apply + cluster admin) uses a long-lived service account that cannot perform interactive MFA. Replacing it requires refactoring and coordination across 3 teams.
3. Hardware key procurement is delayed: your vendor can only guarantee delivery of 250 keys within 4 weeks; the remaining keys may arrive after the freeze.

You are expected to demonstrate how you would enforce an unpopular security policy while maintaining operational excellence: aligning stakeholders, making explicit trade-offs, sequencing work under constraints, and ensuring the control is both real and auditable.