Improving security and reducing risks in enterprise information systems rely on analysing threats, risks and vulnerabilities to specify appropriate countermeasures. Risk assessments and information security remain a crucial challenge of small enterprise information systems. The problem increases its complexity with medium and large enterprise information systems, and becomes a bottleneck when different partners have to exchange information and collaborate through distributed business processes. In this paper, we distinguish between steady and dynamic environments in which information systems are deployed and monitored. We demonstrate that a global security policy must be adapted at any time to address new changes in dynamic environments cope with new challenges in risk management. We introduce a holistic approach for risk and security management through the definition of Service Characteristics Infrastructure (SCI) including certificate authorities, signed service characteristics, security policies.