please go through the below profiles
1)Signon Password Length:
Signon Password Length defines the minimum length of the password
2)Signon Password Hard To Guess:
Setting this profile to Yes will provide the following password policies:
The password contains at least one letter AND at least one number
The password does not contain the username
3)Signon Password No Reuse
This profile will provide the number of days an user must wait before reusing an earlier used password.
4)Signon Password Failure Limit:
This profile provides the number of login attempts an user can do. We need to set it 3 for our requirement
How Can I Restrict Applications Users To Be Signed In Only Once At Any Time (Doc ID 375403.1)
How about login idle timeout?
You can go with profile ICX Session Timeout
What other user controls do I need to implement?