How Zhengzhou Bank Achieved Advanced DevSecOps Maturity: Insights and Lessons

Standardization and tool empowerment are identified as key success factors for technology companies, with DevOps focusing on people, processes, and products to reduce risk in production environments.

The 2021 GOLF+ IT New Governance Leadership Forum, hosted by the China Academy of Information and Communications Technology (CAICT), highlighted "new governance integrating innovation" and "XOPS innovation guiding operations development".

During the forum, the first official assessment results of DevOps capability maturity in security and risk management were announced. Zhengzhou Bank's electronic banking project passed the CAICT’s Level‑2 security and risk management assessment, indicating an advanced domestic security operation capability.

Interview – Q&A

Q: Please introduce yourself and the project you evaluated. Jiang Tao, CIO of Zhengzhou Bank, explained that the bank is a regional institution listed in Hong Kong and Shenzhen, ranked 247th globally, and that the electronic banking system extends core banking services to online channels.

Q: How do you feel about passing the DevSecOps standard assessment? Jiang Tao expressed pride, noting the assessment confirms the bank’s high level of security risk management and will guide future improvements.

Q: Why did the bank decide to participate in the DevSecOps assessment? Since 2018, the bank has undertaken core system upgrades, embraced DevOps, and saw the CAICT’s DevSecOps standards as comprehensive guidance, prompting participation to validate and improve its practices.

Q: Why pursue multiple standards? The bank has sequentially achieved continuous delivery, technical operation, and micro‑service assessments, each enhancing process standardization and automation, and now integrates security to raise overall capability.

Q: What challenges were faced during preparation? Issues included incomplete documentation and coverage; the bank addressed these by revising policies, conducting research, and implementing the changes to meet the assessment criteria.

Q: How are culture, process, and technology aligned for DevSecOps? Culturally, security awareness training is provided; procedurally, clear responsibilities and incident‑closure processes are defined; technically, an end‑to‑end security toolchain and monitoring system have been established.

Q: What are the next steps for DevSecOps implementation? The bank plans to continue improving based on assessment feedback, expand DevSecOps practices, and pursue higher‑level standards to further enhance security risk management.

The article also presents statistics on other city‑commercial banks and financial institutions that have participated in the DevOps capability maturity assessments, showing the number of projects evaluated under various standards.

The DevOps Capability Maturity Model, jointly developed by CAICT, industry alliances, and leading internet companies, is recognized as the first comprehensive DevOps standard in China and was adopted as an international standard by ITU‑T in July 2020.

The model covers agile development management, continuous delivery, technical operation, application design, security and risk management, and system/tool evaluation.