Project Background

Northbeam Analytics is preparing to launch a new enterprise reporting workspace for healthcare customers. The feature is revenue-critical because Sales has six signed deals worth $3.2M ARR that require security approval before go-live. You are the program manager leading execution across product, engineering, security, legal, and customer-facing teams.

The delivery team includes 4 backend engineers, 2 frontend engineers, 1 security engineer shared at 50% capacity, 1 product manager, 1 designer, 1 QA lead, and you. The target launch date is 10 weeks away because the largest customer, Meridian Health, must begin pilot onboarding by June 30 to align with its fiscal planning cycle.

Key Stakeholders

Security wants audit logging, SSO enforcement, encryption key rotation, and role-based access controls fully validated before launch. Sales wants the minimum viable release shipped on time to close the six deals this quarter. Engineering wants to avoid a late scope increase because the team is also supporting a legacy reporting platform with weekly incident load.

Constraints

• Timeline: 10 weeks total
• Budget: $180,000 remaining, including up to $40,000 for external compliance review
• Team capacity: no additional headcount approved
• Dependency: external penetration test requires a 2-week booking lead time and 1 week to complete
• Compliance target: pass internal HIPAA readiness review and SOC 2 control mapping before customer pilot
• Launch requirement: zero Critical or High security findings open at go-live

Complications

1. The shared security engineer is pulled into an unrelated incident response for up to 2 weeks during the project.
2. Meridian Health has requested customer-managed keys, but engineering estimates that feature alone would consume 3 extra weeks.
3. Legal will not approve customer contracts unless audit log retention is documented and tested.

Your Task

1. Build a 10-week execution plan to work with security and meet compliance requirements.
2. Recommend scope trade-offs for launch versus post-launch commitments.
3. Define stakeholder communication and escalation points for security sign-off.
4. Identify the top risks and mitigation actions.
5. Specify launch success criteria and a rollback/readiness approach.