The IT Manager is Leaving – What do I lockdown?

Obviously the physical security needs to be addressed, but after that…

Assuming you don’t have a documented procedure for when employees leave (environment generic as you don’t mention which platforms you run):

  1. Start with perimeter security. Change all passwords on any perimeter equipment like routers, firewalls, vpn’s, etc… Then lock out any accounts the IT manager had, as well as review all of the remaining accounts for any that are no longer used, and any that don’t belong (in case he added a secondary).
  2. Email – remove his account or at least disable logins to it depending on your company policy.
  3. Then go through your host security. All machines and directory services should have his account disabled and/or removed. (Removed is preferred, but you might need to audit them in case he has anything running that is valid under them first). Again, also review for any accounts that are no longer used, as well as any that don’t belong. Disable/remove those as well. If you use ssh keys you should change them on admin/root accounts.
  4. Shared accounts, if you have any, should all have their passwords changed. You should also look at removing shared accounts or disabling interactive login on them as a general practice.
  5. Application accounts… don’t forget to change passwords, or disable/remove accounts from all applications he had access to as well, starting with admin access accounts.
  6. Logging… make sure you have good logging in place for account usage and monitor it closely to look for any suspicious activity.
  7. Backups… make sure your backups are current, and secure (preferably offsite). Make sure you’ve done the same as above with your backup systems as far as accounts.
  8. Documents… try as much as you can to identify, request from him if possible, and copy somewhere secure, all of his documentation.
  9. If you have any services outsourced (email, spam filtering, hosting of any type, etc..), make sure to do all of the above that are appropriate with those services as well.

As you do all of this, document it, so that you have a procedure in place for future terminations.

Also, if you use any colocation services, make sure to have his name removed from the access list and ticket submission list. It’d be wise to do the same for any other vendors where he was the primary person handling, so that he can’t cancel or mess with services you get from those vendors, and also so that vendors know who to contact for renewals, problems, etc… which can save you some headaches when something the IT manager didn’t document happens.

I’m sure there’s more I missed, but that’s off the top of my head.

Leave a Comment