Turkey’s banks are strictly regulated by the Banking Regulation and Supervision Agency (BRSA) which conducts process audits each year and COBIT IT audits every two years. Contraventions attract stiff financial penalties so banks like the ICBC Turkey must constantly ensure that their processes meet legal standards.
ICBC Turkey has an IT team of 55 of which 30 people are involved in development, analysis and testing of its business applications. Its vital core banking application runs on an Oracle platform with PL/SQL procedures and packages at the back end and Oracle’s native client tool Forms Developer at the front end. For demand management, the bank used JIRA tracking software. JIRA was also part of an in-house solution for change and service management.
“One of the most critical elements of BRSA audits concerns code integrity, the security of the code during its lifecycle from development to production and there are also issues about process quality assurance,” says head of application development at ICBC Turkey, Onur Tezel.
ICBC’s problem was that the development process and the demand lifecycle did not communicate with each other so were not synchronized and this could lead to code being changed and compromised. Not only did the bank need to implement a new software toolset but it was also vital to create new DevOps processes that would link the different development strands and support that with automated check and control points to protect the code on its journey.
ICBC Turkey turned to its local technology partner OPTiiM to craft and build the solution which is a mix of Micro Focus tools and DevOps practices. OPTiiM analyzed ICBC’s needs then designed and implemented a fully automated system that prevents unauthorized manual interference during application development to comply with regulations laid down by the BRSA.
The solution is made up of a number of products. Micro Focus Service Manager, was chosen to provide a fully integrated IT service desk software that delivers core and extended service desk functionality. To deal with request management, the bank implemented Micro Focus Project and Portfolio Management together with OPTiiM. OPTiiM then integrated Project and Portfolio Management with Micro Focus Application Lifecycle Management which supports DevOps methodology and is used for testing.
Finally, distribution and release management are controlled by Jenkins and Micro Focus Codar. These automate end-to-end application deployment and enable control of the application pipeline. As a result, the status of each piece of code is automatically cross checked throughout demand, development, test and production phases and the code cannot progress to the next step unless all permissions and approvals are in place.
This new automated process created by ICBC Turkey has resolved its development issues by eliminating production risks.
“The customer needed an enterprise solution because it’s a bank and everything it does must be validated by the regulating agency,” says Yahya Ozturk, director of testing services at OPTiiM. “The solution put in place uses industry standard tools and when the BRSA wants you to comply with their regulations, Micro Focus software is the best way to do this.”
“One of the main benefits of this project is the integration between processes and the other is automation,” says Tezel. “Once the developers build code, no-one else can touch it. All the deployment scripts and rollback scripts are included in this package so if anything is wrong during test or production deployment all the rollback scripts are automatically executed. To follow regulations, we ensure that the code deployed from development cannot be modified until production.
“When user acceptance tests are passed the code cannot be changed and Codar will not let this happen."
“If code needs to be changed you need to go back and update your requirements and procedures and re-execute the whole process. All scripts must be created properly because they can’t be changed later. This is what we have accomplished with these control points.”
The integration and automation of this software lowers production deployment risks, reducing potential failure in the deployment process. The quality assurance of IT processes is increased and those processes can be easily audited through traceable workflows and document controls.
“The most important benefit is that we now pass the BRSA audits which means that we do not expose the business to possible regulation violations,” concludes Tezel.