Risk Analyst (Los Angeles)

D3 Search

Los Angeles, US

Remote

Job Description

D3 Search is seeking a Third-Party Risk Analyst I (IT/Technology Dept.) on behalf of a highly respected AMLAW ranked global law practice with offices located in downtown Los Angeles, CA (90071).

Position Title :

Third-Party Risk Analyst I (IT/Technology Dept.)

Location/Map :

Los Angeles, CA (90071)

Employer Work Model:

Fully remote work model.

Note: must reside within commutable distance to Los Angeles, CA.

Position Summary :

The Third-Party Risk Analyst I is a member of the IT/Technology Security Team responsible for conducting technical security assessments of the firm’s third-party vendors, with a focus on SaaS security, cloud security configurations, API security, DevSecOps maturity, and encryption management. The Analyst shall ensure that the firm’s third-party vendors meet or exceed the firm’s security requirements, client obligations, and industry best practices for modern cloud-based and software-driven environments. The position is also responsible for helping the IT Security Team protect the confidentiality, integrity, and availability of firm systems and data.

Key Duties & Responsibilities :

Conduct in-depth technical security assessments of third-party SaaS platforms, cloud infrastructure (AWS, Azure, GCP), and hosted services, evaluating architecture, access controls, data segregation, and encryption implementation.
Review and assess vendor security documentation against industry frameworks (CIS Benchmarks, NIST, ISO 27001) and assurance reports (e.g., SOC 2 Type II), aligning findings to the firm's internal security requirements.
Evaluate and triage vendor security findings from external risk rating platforms, distinguishing true risks from false positives to support informed, risk-based decisions.
Evaluate vendor IAM configurations, including SSO/SAML integration, SCIM provisioning, role-based access controls, and privileged access management.
Evaluate vendor API security practices, including authentication mechanisms (OAuth2.0, mutual TLS), rate limiting, input validation, and secure data transmission protocols.
Review vendor encryption management practices, including key management lifecycle, encryption at rest and in transit standards, certificate management, and cryptographic algorithm compliance.
Assess vendor data residency, sovereignty, and cross-border transfer mechanisms to ensure compliance with applicable regulatory frameworks (GDPR, CCPA, PIPEDA).
Analyze vendor penetration test reports, vulnerability scan results, and bug bounty program outcomes to identify residual risk exposure.
Assess vendor DevSecOps maturity, including secure SDLC practices, CI/CD pipeline security controls, container security, infrastructure-as-code scanning, and software composition analysis.
Review vendor incident response capabilities, including detection and response SLAs, breach notification commitments, and forensic investigation support.
Monitor and track issued findings, gaps, exceptions, and mitigation plans through to timely remediation.
Track and analyze third-party risk metrics and technical risk indicators to determine vendor risk rankings and potential risk exposure.
Prepare technical risk reports and presentations for firm leadership on significant third-party security risks and trends.
Investigate and respond to third-party security incidents, following established incident handling playbooks.
Review and provide technical input on security and data protection terms in third-party vendor and client contracts, with emphasis on technical security requirements and SLAs.
Review and respond to client security questionnaires with technical specificity.
Support the IT Security Team in responding to client security audits.
Review and advise firm stakeholders on client outside counsel guidelines and manage client special data handling provisions.
Collaborate with IT Security Engineers on technical validation of vendor security claims and configurations.
Continually improve the firm's vendor risk assessment methodology and processes, tools, and procedures to address emerging cloud and SaaS threat vectors and industry best practices.
Stay current on cloud security trends, SaaS security frameworks, API threat landscapes, and evolving third-party risk management standards.

Background/Requirements :

Bachelor’s Degree in Computer Science, Information Technology, Cybersecurity, or a related field, or at least 3 years of work experience in a technical security role within a large enterprise or professional services firm.
Demonstrated hands-on experience evaluating cloud security architectures (AWS, Azure, or GCP), including infrastructure configurations, network segmentation, and identity management.
Experience assessing SaaS application security, including multi-tenancy isolation, data encryption, and integration security.
Working knowledge of API security principles, including REST/GraphQL security, authentication protocols, and secure data excha

Skills & Requirements

Technical Skills

Cloud security configurationsApi security practicesEncryption management practicesVendor security documentationVendor security findingsVendor iam configurationsVendor api security practicesVendor encryption management practicesVendor data residencyVendor devsecops maturityVendor incident response capabilitiesVendor penetration test reportsVendor vulnerability scan resultsVendor bug bounty program outcomesVendor devsecops maturityVendor incident response capabilitiesVendor penetration test reportsVendor vulnerability scan resultsVendor bug bounty program outcomesVendor devsecops maturityVendor incident response capabilitiesVendor penetration test reportsVendor vulnerability scan resultsVendor bug bounty program outcomesIt/technologySecurity

Employment Type

FULL TIME

Level

junior

Posted

5/8/2026

Apply Now

You will be redirected to D3 Search's application portal.

Find Similar Jobs

Browse roles in the same category, level, and remote setup.