Risk Analyst

D3 Search is seeking a Third-Party Risk Analyst I (IT/Technology Dept.) on behalf of a highly respected AMLAW ranked global law practice with offices located in downtown Los Angeles, CA (90071).Position TitleThird-Party Risk Analyst I (IT/Technology Dept.)Location/MapLos Angeles, CA (90071)Employer Work Model:Fully remote work model.Note: must reside within commutable distance to Los Angeles, CA.Position SummaryThe Third-Party Risk Analyst I is a member of the IT/Technology Security Team responsible for conducting technical security assessments of the firm's third-party vendors, with a focus on SaaS security, cloud security configurations, API security, DevSecOps maturity, and encryption management. The Analyst shall ensure that the firm's third-party vendors meet or exceed the firm's security requirements, client obligations, and industry best practices for modern cloud-based and software-driven environments. The position is also responsible for helping the IT Security Team protect the confidentiality, integrity, and availability of firm systems and data.Key Duties & ResponsibilitiesConduct in-depth technical security assessments of third-party SaaS platforms, cloud infrastructure (AWS, Azure, GCP), and hosted services, evaluating architecture, access controls, data segregation, and encryption implementation.Review and assess vendor security documentation against industry frameworks (CIS Benchmarks, NIST, ISO 27001) and assurance reports (e.g., SOC 2 Type II), aligning findings to the firm's internal security requirements.Evaluate and triage vendor security findings from external risk rating platforms, distinguishing true risks from false positives to support informed, risk-based decisions.Evaluate vendor IAM configurations, including SSO/SAML integration, SCIM provisioning, role-based access controls, and privileged access management.Evaluate vendor API security practices, including authentication mechanisms (OAuth2.0, mutual TLS), rate limiting, input validation, and secure data transmission protocols.Review vendor encryption management practices, including key management lifecycle, encryption at rest and in transit standards, certificate management, and cryptographic algorithm compliance.Assess vendor data residency, sovereignty, and cross-border transfer mechanisms to ensure compliance with applicable regulatory frameworks (GDPR, CCPA, PIPEDA).Analyze vendor penetration test reports, vulnerability scan results, and bug bounty program outcomes to identify residual risk exposure.Assess vendor DevSecOps maturity, including secure SDLC practices, CI/CD pipeline security controls, container security, infrastructure-as-code scanning, and software composition analysis.Review vendor incident response capabilities, including detection and response SLAs, breach notification commitments, and forensic investigation support.Monitor and track issued findings, gaps, exceptions, and mitigation plans through to timely remediation.Track and analyze third-party risk metrics and technical risk indicators to determine vendor risk rankings and potential risk exposure.Prepare technical risk reports and presentations for firm leadership on significant third-party security risks and trends.Investigate and respond to third-party security incidents, following established incident handling playbooks.Review and provide technical input on security and data protection terms in third-party vendor and client contracts, with emphasis on technical security requirements and SLAs.Review and respond to client security questionnaires with technical specificity.Support the IT Security Team in responding to client security audits.Review and advise firm stakeholders on client outside counsel guidelines and manage client special data handling provisions.Collaborate with IT Security Engineers on technical validation of vendor security claims and configurations.Continually improve the firm's vendor risk assessment methodology and processes, tools, and procedures to address emerging cloud and SaaS threat vectors and industry best practices.Stay current on cloud security trends, SaaS security frameworks, API threat landscapes, and evolving third-party risk management standards.Background/RequirementsBachelor's Degree in Computer Science, Information Technology, Cybersecurity, or a related field, or at least 3 years of work experience in a technical security role within a large enterprise or professional services firm.Demonstrated hands-on experience evaluating cloud security architectures (AWS, Azure, or GCP), including infrastructure configurations, network segmentation, and identity management.Experience assessing SaaS application security, including multi-tenancy isolation, data encryption, and integration security.Working knowledge of API security principles, including REST/GraphQL security, authentication protocols, and secure data exchange patterns.Familiarity with DevSecOps concepts, including CI/CD pipeline security, container orchestration security, and software supply chain risk.Experience reviewing vendor compliance documentation, including SOC 2 Type II reports, ISO 27001 certificates, and penetration test summaries.CCSP, CCSK, Security+, CISSP, CISA, CTPRP,CRISC, CIPP or other equivalent certifications.Demonstrated hands-on experience evaluating cloud security architectures (AWS, Azure, or GCP), including infrastructure configurations, network segmentation, and identity management.CISA, CTPRP, CISSP or other equivalent security certifications.Experience in third party vendor management process.Experience in contract and compliance documentation review.Experience in managing client security relationships.Ability to communicate complex technical information to non-technical, technical, and managerial audiences both written and orally.Ability to perform due diligence and act with due care in support of the firm's Information Security Program.Ability to quickly respond and act when faced with high pressure situations.Skill in customer relations with vendors and internal users, critically reviewing statements of work, contracts, and ability to negotiate pricing and agreements optimal to the firm.Excellent communication and organizational skills, including the ability to interact effectively with a diverse range of personnel in a calm and professional manner at all times, particularly under pressure.Excellent time management, prioritization and organizational skills, including the ability to manage multiple assignments simultaneously, take ownership, and effectively execute deliverables in a fast-paced and high-pressure environment.Salary/Compensation/Benefits:Yearly salary is up to 140K ~ DOQ including a and a comprehensive and robust health benefits package, generous PTO, fully remote work model, annual salary reviews/increases and lucrative bonuses, and many other notable employee-centered perks, etc.If interested in this Third-Party Risk Analyst I (IT/Technology Dept.) role located in downtown Los Angeles, CA (90071), and you meet the above qualifications/requirements, please contact the following D3 rep.:Domenic Ferrante ~ D3 Search??domenic@ | ?? 213-785-2485?? D3 Legal Search LLC (aka D3 Search), and its clients are equal opportunity employers. Pursuant to local ordinances, we will consider qualified applicants with criminal histories in a manner consistent with the requirements of the Fair Chance Initiative for Hiring Ordinance.

Created: 2026-05-09