The IT Manager is Leaving - What do I lockdown?

Obviously the physical security needs to be addressed, but after that...

Assuming you don't have a documented procedure for when employees leave (environment generic as you don't mention which platforms you run):

1. Start with perimeter security. Change all passwords on any perimeter equipment like routers, firewalls, vpn's, etc... Then lock out any accounts the IT manager had, as well as review all of the remaining accounts for any that are no longer used, and any that don't belong (in case he added a secondary).
2. Email - remove his account or at least disable logins to it depending on your company policy.
3. Then go through your host security. All machines and directory services should have his account disabled and/or removed. (Removed is preferred, but you might need to audit them in case he has anything running that is valid under them first). Again, also review for any accounts that are no longer used, as well as any that don't belong. Disable/remove those as well. If you use ssh keys you should change them on admin/root accounts.
4. Shared accounts, if you have any, should all have their passwords changed. You should also look at removing shared accounts or disabling interactive login on them as a general practice.
5. Application accounts... don't forget to change passwords, or disable/remove accounts from all applications he had access to as well, starting with admin access accounts.
6. Logging... make sure you have good logging in place for account usage and monitor it closely to look for any suspicious activity.
7. Backups... make sure your backups are current, and secure (preferably offsite). Make sure you've done the same as above with your backup systems as far as accounts.
8. Documents... try as much as you can to identify, request from him if possible, and copy somewhere secure, all of his documentation.
9. If you have any services outsourced (email, spam filtering, hosting of any type, etc..), make sure to do all of the above that are appropriate with those services as well.

As you do all of this, document it, so that you have a procedure in place for future terminations.

Also, if you use any colocation services, make sure to have his name removed from the access list and ticket submission list. It'd be wise to do the same for any other vendors where he was the primary person handling, so that he can't cancel or mess with services you get from those vendors, and also so that vendors know who to contact for renewals, problems, etc... which can save you some headaches when something the IT manager didn't document happens.

I'm sure there's more I missed, but that's off the top of my head.

Don't forget physical security - make sure he can't get into any building - it's great that you're all over the network kit but if he can get to the data centre it's pointless.

We suspected that a disgruntled employee who was still in their notice period may have installed some remote-access programs, so we limited his logon account to work hours only, so that he couldn't remote in after-hours when nobody was around to do things (during work hours we could see his screen clearly so if he got up to mischief we would have known).

Turned out to be valuable, he had installed LogMeIn and did in fact attempt after-hours access.

(this was a small company network, no ACLs or fancy firewalls)

Also be carefull not to lockdown too much. I remember a situation where someone left and a day later it became apparent that some business critical software was actually running under his personal user account.

Just to add - also make sure you've got auditing of failed and successful logins - bunch of failures for an account followed by success could equal hacking. You might also make everyone else change their passwords too if the IT Manager was involved in password settings. Don't forget database passwords too and you may want to scrub his/her email account for secure information. I'd also put access checks on any confidential information/databases, and disallow him/her to perform system/database backups.

Hope this helps.

Make sure too, before you let this individual go, to understand that things can and will go down, or be problematic until you replace that individual. I would hope that you won't blame them for everything that goes down just because you assume/know it wont be a good parting of ways, or think they are hacking you somehow because the toilet overflowed.

Hopefully that scenario sounds preposterous to you. But it is a true story from my last job that now the owner is trying to sue me for sabotage (basically because I quit and they aren't willing to actually pay anyone the market rate to replace me) and cyber crimes such as hacking and internet racketeering.

Bottom line is, evaluate the "why" for the reason of their dismissal. If it is anything other than economical needs, I suggest you refine your hiring procedures so that you can hire a more professional individual in which, by profession, needs to be reliable and trustworthy with business mission critical and usually confidential information and who can install proper security procedures that everyone must follow.

One way to know as you are interviewing is how well they are interviewing you and your business in return. Liability (As in what the company thinks the IT Manager can be held at fault for should something go wrong- usually would be in a contract) and overall network security is one of the 3 top things on any proper IT manager/CTO's mind when coming in to interview for a job.

Change all admin passwords (servers, routers, switches, remore access, firewalls) Remove all firewall rules for remote access for the IT manager. If you are using security tokens, disassociate the IT manager's token(s) from all access. Remove TACACS access (if you use this).

Make sure to do these changes with the IT manager in a conference room or otherwise under physical control, so s/he can't observe the process. While reading a poassword as it's being typed on a keyboard is non-trivial (not hard, just not trivial), if this needs to be repeated, there's a higher risk of teh password being gleaned.

If possible, change locks. If keys can be replicated (and in short, they can), this will stop the IT manager from gaining physical access afterwards. Disable any passcard you cannot account for (not only card(s) you know have been issued to the IT manager).

If you have multiple incoming phone lines, check ALL of them, to make sure no unknown devices are attached to them.

Check the firewall policies
Change the admin password and check for accounts that are no more in use.
Revoke his/her certificates
Backup his/her workstation and format it.
Use checksum controls for the important files on your servers and put an IDS to a span port in your rack for while.

Just my 2cts.

Check for extra accounts, too. He could easily add a new account once he knows he's leaving. Or even soon after he arrived.

Don't forget to blow out any extranet type accounts that he might have on behalf of your company. These are often overlooked and often the cause of much grief post-mortem.

Might (along the "I'm ultra-paranoid" track) want to also notify your sales reps for different vendors that you work with in case he tried to contact someone there .