How Zhengzhou Bank Achieved Advanced DevSecOps Maturity – Insights from the CAICT Assessment

From the practice of many enterprises, standardization and tool empowerment are key to the success of technology companies. Standards gather best practices; embedding them in tools brings DevOps focus on people, processes, and products, achieving continuous success and reducing risk.

2021 GOLF+ IT New Governance Leadership Forum

Held on December 24, organized by the China Academy of Information and Communications Technology (CAICT), the forum centered on “balancing governance and effectiveness, building a new ecosystem of technology governance” and “XOPS innovation, leading the new trajectory of operations development.” It announced the first batch of DevOps capability maturity security and risk management assessment results.

DevSecOps Assessment Result for Zhengzhou Bank

The assessment, conducted by CAICT, confirmed that Zhengzhou Bank’s electronic banking project passed the Level 2 security‑operation module of the DevSecOps (DevSecOps standard) assessment, indicating that its security‑operation capability has reached an advanced domestic level.

Interview – Q&A with Zhengzhou Bank Leaders

Q: Please introduce yourself, your enterprise, and the project you evaluated. Jiang Tao (CIO): Zhengzhou Bank is a regional bank in central China, listed in Hong Kong (2015) and Shenzhen (2018). It ranks 247th in the global top‑1000 banks and leads among Chinese city commercial banks. The evaluated project is the electronic banking system, extending core banking services to internet channels with personalized, self‑service features.

Q: How does it feel to pass the DevOps standard assessment at Level 2 security and risk management? Jiang Tao: We are pleased that the assessment confirms our high level of security‑risk management, placing us at the forefront of the industry. It validates our DevSecOps practice and provides guidance for further improvement.

Q: Why did you decide to participate in the DevSecOps standard assessment? Jiang Tao: Since 2018, we have undertaken core system upgrades, cloud projects, and a big‑data platform, forming a tech‑business integrated organization. We have been applying DevOps throughout and exploring DevSecOps to bridge security and operations. The comprehensive CAICT assessment offered clear guidance, so we participated to verify our work and promote continuous improvement.

Q: You have passed multiple standards before. Why pursue several assessments? Jiang Tao: After achieving continuous delivery capability for monolithic architecture, we passed assessments for technical operation capability and micro‑service continuous delivery, which standardized and automated our processes. The current security and risk management assessment deepens the integration of security into DevOps, further enhancing our security‑operation level.

Q: What benefits has the security and risk management assessment brought to your enterprise? Jia Aijun (Head of IT Department): It introduced the DevSecOps standard across development, operations, and security teams, ensuring lifecycle security, establishing complete processes, tools, and monitoring, and providing a clear direction for continuous improvement.

Q: What are the distinctive features of the evaluated project and its security challenges? Jia Aijun: The electronic banking system was evaluated for general risk control and operational risk control, covering ten capability domains such as security toolchain, data management, monitoring, and emergency response. Daily challenges include increasingly targeted external attacks, emerging vulnerabilities, and sophisticated attack techniques, requiring rapid, efficient response through DevSecOps.

Q: What difficulties did you encounter during preparation, and how were they solved? Jia Aijun: Some institutional documents lacked detail and coverage. We conducted research, revised and supplemented the documents, and implemented them, ultimately meeting the assessment requirements.

Q: How does Zhengzhou Bank implement DevSecOps from culture, process, and technology perspectives? Jia Aijun: Culturally, we conduct security awareness training and online exams, clarifying responsibilities. Process‑wise, we establish clear policies for security monitoring and incident closure. Technologically, we have built an end‑to‑end security toolchain, a robust monitoring system, and complete security‑operation procedures.

Q: What are the next steps for DevSecOps practice in your bank? Jia Aijun: We will continue to address identified gaps, promote the DevSecOps framework, align with higher‑level standards, and further embed security early in development, ensuring continuous optimization and broader adoption across the organization.

Overview of the R&D‑Operations Integrated (DevOps) Capability Maturity Model

The model, led by CAICT with participation from major internet, financial, and telecom enterprises, is the first comprehensive DevOps series standard in China and has been adopted by many leading companies. It was officially concluded by the ITU‑T in July 2020, becoming the world’s first international DevOps standard.

The assessment framework includes agile development management, continuous delivery, technical operations, application design, security and risk management, and system/tool evaluation.

Statistics of Enterprises Participating in the DevOps Capability Maturity Model

As of December 24 2021, city‑commercial banks and other financial institutions have submitted numerous projects for evaluation across various standards, with detailed numbers illustrated in the accompanying charts.

For further information on the DevOps capability maturity model assessment, please contact the China Academy of Information and Communications Technology.