Job Description
D3 Search is seeking a Third-Party Risk Analyst I (IT/Technology Dept.) on behalf of a highly respected AMLAW ranked global law practice located in downtown Los Angeles, CA (90071).
Position Title🎯:
Third-Party Risk Analyst I (IT/Technology Department)
Location/Map📍:
Los Angeles, CA (90071)
Employer Work Model:
100% fully remote work model.
- IMPORTANT NOTE: Must reside within a commutable distance to downtown Los Angeles, CA (90071).
Position Summary📒:
The Third-Party Risk Analyst I is a member of the IT/Technology Security Team responsible for conducting technical security assessments of the firm’s third-party vendors, with a focus on SaaS security, cloud security configurations, API security, DevSecOps maturity, and encryption management. The Analyst shall ensure that the firm’s third-party vendors meet or exceed the firm’s security requirements, client obligations, and industry best practices for modern cloud-based and software-driven environments. The position is also responsible for helping the IT Security Team protect the confidentiality, integrity, and availability of firm systems and data.
Key Duties & Responsibilities🗝:
- Conduct in-depth technical security assessments of third-party SaaS platforms, cloud infrastructure (AWS, Azure, GCP), and hosted services, evaluating architecture, access controls, data segregation, and encryption implementation.
- Review and assess vendor security documentation against industry frameworks (CIS Benchmarks, NIST, ISO 27001) and assurance reports (e.g., SOC 2 Type II), aligning findings to the firm's internal security requirements.
- Evaluate and triage vendor security findings from external risk rating platforms, distinguishing true risks from false positives to support informed, risk-based decisions.
- Evaluate vendor IAM configurations, including SSO/SAML integration, SCIM provisioning, role-based access controls, and privileged access management.
- Evaluate vendor API security practices, including authentication mechanisms (OAuth2.0, mutual TLS), rate limiting, input validation, and secure data transmission protocols.
- Review vendor encryption management practices, including key management lifecycle, encryption at rest and in transit standards, certificate management, and cryptographic algorithm compliance.
- Assess vendor data residency, sovereignty, and cross-border transfer mechanisms to ensure compliance with applicable regulatory frameworks (GDPR, CCPA, PIPEDA).
- Analyze vendor penetration test reports, vulnerability scan results, and bug bounty program outcomes to identify residual risk exposure.
- Assess vendor DevSecOps maturity, including secure SDLC practices, CI/CD pipeline security controls, container security, infrastructure-as-code scanning, and software composition analysis.
- Review vendor incident response capabilities, including detection and response SLAs, breach notification commitments, and forensic investigation support.
- Monitor and track issued findings, gaps, exceptions, and mitigation plans through to timely remediation.
- Track and analyze third-party risk metrics and technical risk indicators to determine vendor risk rankings and potential risk exposure.
- Prepare technical risk reports and presentations for firm leadership on significant third-party security risks and trends.
- Investigate and respond to third-party security incidents, following established incident handling playbooks.
- Review and provide technical input on security and data protection terms in third-party vendor and client contracts, with emphasis on technical security requirements and SLAs.
- Review and respond to client security questionnaires with technical specificity.
- Support the IT Security Team in responding to client security audits.
- Review and advise firm stakeholders on client outside counsel guidelines and manage client special data handling provisions.
- Collaborate with IT Security Engineers on technical validation of vendor security claims and configurations.
- Continually improve the firm's vendor risk assessment methodology and processes, tools, and procedures to address emerging cloud and SaaS threat vectors and industry best practices.
- Stay current on cloud security trends, SaaS security frameworks, API threat landscapes, and evolving third-party risk management standards.
Background/Requirements💡:
- Bachelor’s Degree in Computer Science, Information Technology, Cybersecurity, or a related field, or at least 3 years of work experience in a technical security role within a large enterprise or professional services firm.
- Demonstrated hands-on experience evaluating cloud security architectures (AWS, Azure, or GCP), including infrastructure configurations, network segmentation, and identity management.
- Experience assessing SaaS application security, including multi-tenancy isolation, data encryption, and integration security.
- Working knowledge of API security principles, including REST/GraphQL security, authentication protocols, and secure data exchange patterns.
- Familiarity with DevSecOps concepts, including CI/CD pipeline security, container orchestration security, and software supply chain risk.
- Experience reviewing vendor compliance documentation, including SOC 2 Type II reports, ISO 27001 certificates, and penetration test summaries.
- CCSP, CCSK, Security+, CISSP, CISA, CTPRP,CRISC, CIPP or other equivalent certifications.
- Demonstrated hands-on experience evaluating cloud security architectures (AWS, Azure, or GCP), including infrastructure configurations, network segmentation, and identity management.
- CISA, CTPRP, CISSP or other equivalent security certifications.
- Experience in third party vendor management process.
- Experience in contract and compliance documentation review.
- Experience in managing client security relationships.
- Ability to communicate complex technical information to non-technical, technical, and managerial audiences both written and orally.
- Ability to perform due diligence and act with due care in support of the firm’s Information Security Program.
- Ability to quickly respond and act when faced with high pressure situations.
- Skill in customer relations with vendors and internal users, critically reviewing statements of work, contracts, and ability to negotiate pricing and agreements optimal to the firm.
- Excellent communication and organizational skills, including the ability to interact effectively with a diverse range of personnel in a calm and professional manner at all times, particularly under pressure.
- Excellent time management, prioritization and organizational skills, including the ability to manage multiple assignments simultaneously, take ownership, and effectively execute deliverables in a fast-paced and high-pressure environment.
Salary💰/Compensation/Benefits:
Yearly salary is up to 140K ~ DOQ including a and a comprehensive and robust health benefits package, generous PTO, fully remote work model, annual salary reviews/increases and lucrative bonuses, and many other notable employee-centered perks, etc.
If interested in this Third-Party Risk Analyst I (IT/Technology Dept.) role located in downtown Los Angeles, CA (90071), and you meet the above qualifications/requirements, please contact the following D3 rep.:
Domenic Ferrante ~ D3 Search
📬domenic@d3search.com | ☎️ 213-785-2485
📡 www.d3search.com
D3 Legal Search LLC (aka D3 Search), and its clients are equal opportunity employers. Pursuant to local ordinances, we will consider qualified applicants with criminal histories in a manner consistent with the requirements of the Fair Chance Initiative for Hiring Ordinance.
