Corporate Compliance and Risk Management
In a nutshell
AURUM is an integrated framework for compliance and risk management. It supports organizations in identifying the optimal information security concepts in terms of costs, effectiveness, and compliance to standards. It is designed to minimize the necessary interaction between user and system and to provide decision makers with an intuitive solution that can be used without in-depth knowledge about the information security domain. The system is highly customizable and can be used by SMEs as well as large companies.


Your Benefits
  • Central Knowledge Base
  • Process-based Risk- and Compliance Management
  • Permanent Compliance
  • Raised Awareness
  • Large Companies
  • SMEs
  • Cities and municipalities
  • Auditors and Risk Managers
Get your personal demo
Have a look at the unique
Intuitive Dashboard with customizable Widgets
Central Knowledge Base
Interactive Countermeasure Selection
Real-time Risk Visualization
(Semi-)Automated Inventory
Business process based risk management
Consideration of interdependencies and compatibility
Get a detailed overview of all features
Learn more about the
Legal Background
The importance of information technology brought up the urgent need to ensure its continuous and reliable operation and to protect the processed and stored data. The intensive use of interconnected and complex IT-systems incurs risks with increasingly severe disruptive effects. As a consequence, managing evolving IT risks is imperative for modern organizations to ensure resilient operation and to protect the transmitted and stored data. Common frameworks, such as the Sarbanes-Oxley act and Basel II/III, demand decision makers to define mitigation strategies for their operational IT risks.

Information security standards, such as ISO 27001/27002 or the German Grundschutzhandbuch tend to state very abstract implementation suggestions for risk mitigation.

While approaches based on best practices, standards and experts can substantially support organizations in managing risks, they have a variety of shortcomings. In particular, because decision makers have to manually deal with often thousands of interdependencies and interactions. Making decisions in such an environment without computational support is not only tedious and expensive it is in fact highly error-prone.

Key Questions

  • What are potential threats for my organization?
  • What is the likelihood of these threats?
  • What is the potential impact of a particular threat?
  • Which vulnerabilities could be exploited by such threats?
  • Which controls are required to mitigate these vulnerabilities?
  • What are the investments in security worth?

Find out about our main

AURUM provides decision makers with an intuitive and easy to use risk management solution. It encapsulates the complexity of the domain and provides only the information necessary to make infomed and efficient decisions.

Large Companies


Cities and Municipalities

Auditors and Risk Managers

Here are some of the

Central Knowledge Base

The knowledge base includes all relevant information about the company, like the organizational units, business processes, and assets. It integrates external and internal information sources to calculate the actual risk level based on recent events and suggest appropriate countermeasures. The structure of the knowledge base enables interoperability by providing a shared understanding of the domain in question, provides a formalization of shared understanding which allows machine processability, and allows the reuse of information already gathered within the company.

Permanent Compliance

AURUM automatically identifies changes to the infrastructure, proves and organizational structure. In combination with actual events (internal and external), AURUM continuously calculates the actual threat level and ensures that appropriate counter measures are in place. Decision makers are informed if additional countermeasures become necessary. AURUM also ensures that the compliance to defined standards is guaranteed. Therefore, it automatically determines control implementation gaps and potential control implementations that can be used to fill these gaps.

Process-based Risk- and Compliance Management

The importance of corporate resources indicates the organizational impact if the considered resource is no longer able to conduct its designated tasks, thus, affecting the availability of the corresponding business process. AURUM is a framework that can use business process models (e.g., from ADONIS, ARIS, etc.) as a basis for risk and compliance management.

Raised Awareness

Decision makers are often overwhelmed with the high number of alternative solution and are often not fully aware if their investments are fitting or effective at all. Therefore, AURUM provides decision makers with an intuitive interface for the interactive evaluation of potential mitigation scenarios, i.e. the system offers them information on the specific selection problem while it ensures that the solution chosen will be an efficient one. The decision makers learn about the consequences of their decisions and get information on the gap between the existing solution and the potential solutions in each relevant criteria (e.g., risk level, costs, etc.).
Have a first look at the
User Interface
Intuitive Dashboard with customizable Widgets
The dashboard summarizes the collected information and presents it on a single page. It provides an overview of the current company inventory and the calculated risk values. AURUM supports the administration of an arbitrary number of sites. The corresponding widget displays a zoomable world map with markers that represent locations of the company organizational units. The locations are based on the provided addresses or GPS coordinates. Privileged users are allowed to schedule a reminder (e.g., for regular compliance checks) for other users or sites. The dashboard consists of widgets that can be individually combined and rearranged per drag and drop.
Central Knowledge Base
The inventory provides various means to collect the information about the company, like the organizational units, business processes, and assets. The business process inventory includes a BPMN component for business process visualization and process related calculations. The asset inventory includes a network scanner component for automatic network scanning. AURUM can be customized to individual scenarios are used with the default knowledge inventories. For example, the AURUM security ontology provides an established information security knowledge base including more than 500 information security concepts serving as a basis for the AURUM risk management framework. The user can also specify security attribute requirements for each asset, like confidentiality, integrity, and availability, and assign ontology classes to determine what the assets are.
Interactive Countermeasure Selection
AURUM integrates corporate knowledge and calculates suggestions for the optimal allocation of resources. For example, it optimizes the investment costs and the running costs required to achieve a defined (acceptable) remaining risk. However, the decision makers using AURUM are not confronted with a single solution but are encouraged to explore different scenarios. AURUM provides decision makers with an intuitive interface for the risk evaluation that offers them information on the specific problem at hand, while the system ensures in the background that the chosen solution will be an efficient one. The decision makers learn about the consequences of their decisions and get information on the gap between the existing solution and the potential solutions in each category.
Real-time Risk Visualization
The risk visualization engine displays the calculated risk for the collected organizational units, business processes, and assets. It provides a detailed visualization of the ontology based risk calculation for individual assets. It also provides a visualization of the risk aggregation for individual organizational units and processes. In addition, it presents the current risk values based on the collected company inventory, the threat occurrence probabilities, and the currently implemented countermeasures. The ontology based risk visualization is displayed if the selected item is an asset. The view displays the current threat impact for each security attribute of that asset. The impact values are combined with the security attribute requirements to calculate the risk values for individual security attributes, and eventually the final risk value for the asset.
(Semi-)Automated Inventory
The AURUM network scanner can be initially used to identify the relevant corporate network assets. The currently supported scanning methods are DNS, which acquires the registered host names from the user’s local DNS server. The user can at this point change the ontology classes of the hosts and drag the hosts into the asset hierarchy. The policy scanner allows identifying relevant policies. The user needs to provide the location of the company security related documents, which can be either located directly on his computer, or on a network share. After a successful scan, it is possible to refresh the countermeasures page and see the list of identified security controls. Based on the list, the application also automatically marks the matching security policies as implemented. The user can further use the widget to review the result details and potentially make corrections.
Business process based risk management
AURUM enables risk management based on corporate business processes. The widget initially displays the company process landscape, where the user can additionally select the importance of individual processes and start the process-based calculations. After selecting a business process in the hierarchy structure, the content of the widget changes to the BPMN model of the selected process. If the process has no BPMN model assigned, the user can upload one or copy an existing one. The activities in the BPMN model can be further selected, which allows using the other widgets to specify the information for individual BPMN elements.
Consideration of interdependencies and compatibility
A threat requires a threat origin and an existing vulnerability to become effective. A human threat origin can exploit vulnerabilities either accidentally or deliberately. While standards and best practices often provide an example threat list, the risk manager is not always familiar with the nature of each threat. Which threats endanger critical assets? Which threat is a multiplier (i.e., gives rise to other threats)? Which vulnerabilities does a threat have to exploit to become effective? The threat probability selection in AURUM allows the user to select the occurrence probabilities of various threats based on the company context. The user can start by selecting one of the predefined risk profiles and then adapt the probabilities as needed. AURUM also allows automatically determining threat probabilities based on the organization-specific threat environment and existing control implementations.

Do you need more information?

Contact us